[SHIRO-818] JAX-RS ExceptionMapper returns wrong status code - ASF JIRA

XML

Word

Printable

JSON

Details

Type: Bug
Status: Resolved
Priority: Major
Resolution: Fixed
Affects Version/s: 1.7.1
Fix Version/s: 2.0.0-alpha
Component/s: jax-rs
Labels:
None

Description

ExceptionMapper:

 if (exception instanceof UnauthorizedException) {
            status = Status.FORBIDDEN;
        } else {
            status = Status.UNAUTHORIZED;
        }

I am pretty sure it is meant the other way round.

Rationale: If you try to read a resource without authentication which has `@RequiresPermission` annotations, it will throw a UnauthenticatedException. But this should not lead to a status code UNAUTHORIZED, but to a status code FORBIDDEN.

Unauthorized should be returned for UnauthorizedException (hence the name).

Guests or any authenticated role could (at some point in the future) get the permission to read the resource, so FORBIDDEN is the correct status code.

Attachments

Issue Links

links to

GitHub Pull Request #303

Activity

People

Assignee:: Benjamin Marwell

Reporter:: Benjamin Marwell

Votes:: 0 Vote for this issue

Watchers:: 1 Start watching this issue

Dates

Created:: 20/May/21 10:10

Updated:: 21/May/21 18:55

Resolved:: 21/May/21 18:55

Time Tracking

Estimated:

Not Specified

Remaining:

Logged:

0.5h