AuthenticationFailedRejection instead of AuthorizationFailedRejection?
hseeberger opened this issue · comments
The ClientSessionManager
uses an AuthorizationFailedRejection
(by default) for a missing session, but wouldn't a AuthenticationFailedRejection
be a better fit? The same accounts to the CsrfManager
.
Sorry for the late response, I as on vacation :)
I remember investigating this a while back, and as far as I recall there's quite a lot of debate on 403
vs 401
, the latter being used for the http authentication
See for example: http://stackoverflow.com/questions/4301877/http-status-code-for-missing-authentication
and https://en.wikipedia.org/wiki/HTTP_403
Hence the choice of a AuthorizationFailedRejection
:)
Yeah, in the meantime I also came to that conclusion. Thanks!