Uploaded image for project: 'Shiro'
  1. Shiro
  2. SHIRO-818

JAX-RS ExceptionMapper returns wrong status code

    XMLWordPrintableJSON

Details

    • Bug
    • Status: Resolved
    • Major
    • Resolution: Fixed
    • 1.7.1
    • 2.0.0
    • jax-rs
    • None

    Description

      ExceptionMapper:

       if (exception instanceof UnauthorizedException) {
                  status = Status.FORBIDDEN;
              } else {
                  status = Status.UNAUTHORIZED;
              }
      

      I am pretty sure it is meant the other way round.

      Rationale: If you try to read a resource without authentication which has `@RequiresPermission` annotations, it will throw a UnauthenticatedException. But this should not lead to a status code UNAUTHORIZED, but to a status code FORBIDDEN.

      Unauthorized should be returned for UnauthorizedException (hence the name).

      Guests or any authenticated role could (at some point in the future) get the permission to read the resource, so FORBIDDEN is the correct status code.

      Attachments

        Issue Links

          Activity

            People

              bmarwell Benjamin Marwell
              bmarwell Benjamin Marwell
              Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved:

                Time Tracking

                  Estimated:
                  Original Estimate - Not Specified
                  Not Specified
                  Remaining:
                  Remaining Estimate - 0h
                  0h
                  Logged:
                  Time Spent - 0.5h
                  0.5h