Spring Security Replace Hardcoded 403 in Http403ForbiddenEntryPoint with HttpStatus.FORBIDDEN.value()

Summary

In BasicAuthenticationEntryPoint and DelegatingAuthenticationEntryPoint, HTTP status codes are returned using HttpStatus.UNAUTHORIZED.value().
However, in Http403ForbiddenEntryPoint, the status code 403 is hardcoded.

For consistency and maintainability, should we update Http403ForbiddenEntryPoint to also use HttpStatus.FORBIDDEN.value()?

Suggested Improvement

To maintain consistency across different authentication entry points,
Http403ForbiddenEntryPoint could be modified as follows:

java public void commence(HttpServletRequest request, HttpServletResponse response, AuthenticationException authException) throws IOException { logger.debug("Pre-authenticated entry point called. Rejecting access"); response.sendError(HttpStatus.FORBIDDEN.value(), HttpStatus.FORBIDDEN.getReasonPhrase()); }

Current Implementation

• BasicAuthenticationEntryPoint (Uses HttpStatus.UNAUTHORIZED.value()) java public void commence(HttpServletRequest request, HttpServletResponse response, AuthenticationException authException) throws IOException { response.addHeader("WWW-Authenticate", "Basic realm=\"" + this.realmName + "\""); response.sendError(HttpStatus.UNAUTHORIZED.value(), HttpStatus.UNAUTHORIZED.getReasonPhrase()); }
• DelegatingAuthenticationEntryPoint (Uses HttpStatus.UNAUTHORIZED.value()) java public void commence(HttpServletRequest request, HttpServletResponse response, AuthenticationException authException) throws IOException { response.addHeader("WWW-Authenticate", authenticateHeader); response.sendError(HttpStatus.UNAUTHORIZED.value(), HttpStatus.UNAUTHORIZED.getReasonPhrase()); }
• Http403ForbiddenEntryPoint (Hardcoded 403) java public void commence(HttpServletRequest request, HttpServletResponse response, AuthenticationException authException) throws IOException { logger.debug("Pre-authenticated entry point called. Rejecting access"); response.sendError(403, "Access Denied"); }

Questions

• Is there any specific reason why Http403ForbiddenEntryPoint does not follow the same pattern as BasicAuthenticationEntryPoint and DelegatingAuthenticationEntryPoint?
• Would it make sense to standardize the use of HttpStatus.FORBIDDEN.value() for better readability and maintainability?

Comment From: jzheaux

Thanks for the suggestion, @yelm-212 and the thorough write-up. I'll close this in favor of #16616