I have implemented bearer token authentication (Authentication in each request with a client-id and access-token in the header).
When I use the wrong credentials (Access-Token), I get back a "200 OK" with empty body, is this expected? Shouldn't it be a 401 or 404? When I use correct credentials I get back "200 OK" expected Json response, with body content.
I'm using the DefaultPasswordService and AuthorizingRealm. Maybe I miss something?
Using Shiro 1.2.3
I think I solved the problem.
Before my onAccessDenied() looked like this:
@Override
protected boolean onAccessDenied(ServletRequest request, ServletResponse response)
throws Exception {
if (hasAuthorizationToken(request)) {
// Proceed with authentication
return executeLogin(request, response);
}
// Return 401 if authentication failed
WebUtils.toHttp(response).sendError(
Status.UNAUTHORIZED.getStatusCode(),
"Oops, Authentication required");
return false;
}
Now it looks like this:
@Override
protected boolean onAccessDenied(ServletRequest request, ServletResponse response)
throws Exception {
boolean authenticated = false;
if (hasAuthorizationToken(request)) {
// Proceed with authentication
authenticated = executeLogin(request, response);
}
// Return 401 if authentication failed
if (!authenticated)
WebUtils.toHttp(response).sendError(
Status.UNAUTHORIZED.getStatusCode(),
"Oops, Authentication required");
return authenticated;
}
I needed to manually return Status.UNAUTHORIZED when authentication failed.