Access secure page with unauthenticated user returns http status 403 instead of 401. Steps to reproduce: 1. add this security domain to standalone.xml: <security-domain name="deny-all"> <authentication> <login-module code="UsersRoles" flag="required"/> </authentication> <authorization> <policy-module code="org.jboss.security.authorization.modules.AllDenyAuthorizationModule" flag="required"/> </authorization> </security-domain> 2. run standalone server and deploy attached Reproducer.war 3. open browser and visit page http://wronguser:wrongpassword@localhost:8080/Reproducer/secure.html It returns HTTP Status 403 instead of 401. (4. You can try to visit http://admin:admin@localhost:8080/Reproducer/secure.html It returns 403 right, because admin/admin is correct authenticated user)
Created attachment 823909 [details] reproducer
Updating status. The issue still exists in 6.3.0.ER10.
As the AllDenyAuthorizationModule is present, the request is not repeated, should not it just return the 403 code?