Skip to content

Replace Hardcoded 403 in Http403ForbiddenEntryPoint with HttpStatus.FORBIDDEN.value() #16615

New issue
New issue
Closed
#16616
Closed
Replace Hardcoded 403 in Http403ForbiddenEntryPoint with HttpStatus.FORBIDDEN.value()#16615
#16616
Assignees
jzheaux
Labels
in: webAn issue in web modules (web, webmvc)status: duplicateA duplicate of another issuetype: enhancementA general enhancement
@yelm-212

Description

@yelm-212
yelm-212
opened on Feb 18, 2025

Summary

In BasicAuthenticationEntryPoint and DelegatingAuthenticationEntryPoint, HTTP status codes are returned using HttpStatus.UNAUTHORIZED.value().
However, in Http403ForbiddenEntryPoint, the status code 403 is hardcoded.

For consistency and maintainability, should we update Http403ForbiddenEntryPoint to also use HttpStatus.FORBIDDEN.value()?

Suggested Improvement

To maintain consistency across different authentication entry points,
Http403ForbiddenEntryPoint could be modified as follows:

public void commence(HttpServletRequest request, HttpServletResponse response, AuthenticationException authException)
        throws IOException {
    logger.debug("Pre-authenticated entry point called. Rejecting access");
    response.sendError(HttpStatus.FORBIDDEN.value(), HttpStatus.FORBIDDEN.getReasonPhrase());
}

Current Implementation

  • BasicAuthenticationEntryPoint (Uses HttpStatus.UNAUTHORIZED.value()) 
    public void commence(HttpServletRequest request, HttpServletResponse response, AuthenticationException authException)
        throws IOException {
    response.addHeader("WWW-Authenticate", "Basic realm=\"" + this.realmName + "\"");
    response.sendError(HttpStatus.UNAUTHORIZED.value(), HttpStatus.UNAUTHORIZED.getReasonPhrase());
}
  • DelegatingAuthenticationEntryPoint (Uses HttpStatus.UNAUTHORIZED.value()) 
    public void commence(HttpServletRequest request, HttpServletResponse response, AuthenticationException authException)
        throws IOException {
    response.addHeader("WWW-Authenticate", authenticateHeader);
    response.sendError(HttpStatus.UNAUTHORIZED.value(), HttpStatus.UNAUTHORIZED.getReasonPhrase());
}
  • Http403ForbiddenEntryPoint (Hardcoded 403) 
    public void commence(HttpServletRequest request, HttpServletResponse response, AuthenticationException authException)
        throws IOException {
    logger.debug("Pre-authenticated entry point called. Rejecting access");
    response.sendError(403, "Access Denied");
}

Questions

  • Is there any specific reason why Http403ForbiddenEntryPoint does not follow the same pattern as BasicAuthenticationEntryPoint and DelegatingAuthenticationEntryPoint?
  • Would it make sense to standardize the use of HttpStatus.FORBIDDEN.value() for better readability and maintainability?

Metadata

Metadata

Assignees

Labels

in: webAn issue in web modules (web, webmvc)status: duplicateA duplicate of another issuetype: enhancementA general enhancement

Type

No type

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions