Related RFE: EAP7-1323 - HTTP External Security Not Supported by Elytron

Both unauthorized and unauthenticated HTTP requests return 403.

Unauthorized user should receive 403 HTTP response, but unauthenticated user should receive 401 HTTP code

I check it on WebSecurityExternalAuthTestCase (from wf-ts) and my new test for wrong authentication is failing (see this commit)

This is not a regression against legacy security

Related RFC: RFC-7235