If a custom JASPI auth module throws an exception, Wildfly/Undertow (the JASPI authenticator) ignores it and returns a 200. The web page that was requested does not get displayed. A blank page and a HTTP 200 are returned.

Should a 40x or a 500 be returned instead? Or is it the responsibility of the custom JASPI auth module to set the status correctly?

It seems like the container would need to be careful and not overwrite a status code that the JASPI module had explicitly set.