I didn't see this one in the spec, but it seems like requiring an application to return a 404 is not correct in all cases. It would be up to the specific application's config.

If I setup an application to require login on everything /** then I would expect a 302 back to the login page. If that application has each resource mapped explicitly then a 404 could be returned.

I see your point. This was originally added as a sanity check to make sure that our middleware/filters weren't catching requests they shouldn't. So, not testing that the application should 404 as much as making sure that the Stormpath middleware isn't getting to eager. I'm okay with removing it though.

We used to have it as "not 200 / 500" over much debate...

We used to have it as "not 200 / 500" over much debate...

We might have just missed this one when we updated everything.