Authentication mechanisms should not be setting the status code as where multiple mechanisms are in use together different mechanisms may require a different code - after all mechanisms have set their challenge we then choose the code to use.

Although the mechanism does not set the code directly I believe it is a side effect of the 'forward' call,