brooklyn-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From s...@apache.org
Subject [2/4] brooklyn-server git commit: REST api: forbidden instead of unauthorized
Date Wed, 10 Feb 2016 14:09:00 GMT
REST api: forbidden instead of unauthorized

When entitlement check fails, return 403 instead of 401.

Project: http://git-wip-us.apache.org/repos/asf/brooklyn-server/repo
Commit: http://git-wip-us.apache.org/repos/asf/brooklyn-server/commit/f0db35f1
Tree: http://git-wip-us.apache.org/repos/asf/brooklyn-server/tree/f0db35f1
Diff: http://git-wip-us.apache.org/repos/asf/brooklyn-server/diff/f0db35f1

Branch: refs/heads/master
Commit: f0db35f1647e7cb5a89753ec8b2c9e2ceb6dd998
Parents: a055717
Author: Aled Sage <aled.sage@gmail.com>
Authored: Wed Feb 10 10:39:00 2016 +0000
Committer: Aled Sage <aled.sage@gmail.com>
Committed: Wed Feb 10 12:42:52 2016 +0000

----------------------------------------------------------------------
 .../rest/resources/ApplicationResource.java     |  8 ++---
 .../rest/resources/CatalogResource.java         | 32 ++++++++++----------
 .../rest/resources/EffectorResource.java        |  2 +-
 .../rest/resources/EntityConfigResource.java    | 12 ++++----
 .../brooklyn/rest/resources/EntityResource.java |  4 +--
 .../rest/resources/PolicyConfigResource.java    |  2 +-
 .../brooklyn/rest/resources/SensorResource.java | 14 ++++-----
 .../brooklyn/rest/resources/ServerResource.java | 16 +++++-----
 .../rest/util/BrooklynRestResourceUtils.java    |  6 ++--
 .../AbstractRestApiEntitlementsTest.java        |  2 +-
 10 files changed, 49 insertions(+), 49 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/brooklyn-server/blob/f0db35f1/rest/rest-server/src/main/java/org/apache/brooklyn/rest/resources/ApplicationResource.java
----------------------------------------------------------------------
diff --git a/rest/rest-server/src/main/java/org/apache/brooklyn/rest/resources/ApplicationResource.java
b/rest/rest-server/src/main/java/org/apache/brooklyn/rest/resources/ApplicationResource.java
index 22a4502..351f65a 100644
--- a/rest/rest-server/src/main/java/org/apache/brooklyn/rest/resources/ApplicationResource.java
+++ b/rest/rest-server/src/main/java/org/apache/brooklyn/rest/resources/ApplicationResource.java
@@ -245,7 +245,7 @@ public class ApplicationResource extends AbstractBrooklynRestResource
implements
     /** @deprecated since 0.7.0 see #create */ @Deprecated
     protected Response createFromAppSpec(ApplicationSpec applicationSpec) {
         if (!Entitlements.isEntitled(mgmt().getEntitlementManager(), Entitlements.DEPLOY_APPLICATION,
applicationSpec)) {
-            throw WebResourceUtils.unauthorized("User '%s' is not authorized to start application
%s",
+            throw WebResourceUtils.forbidden("User '%s' is not authorized to start application
%s",
                 Entitlements.getEntitlementContext().user(), applicationSpec);
         }
 
@@ -282,7 +282,7 @@ public class ApplicationResource extends AbstractBrooklynRestResource
implements
         EntitySpec<? extends Application> spec = createEntitySpecForApplication(yaml);
         
         if (!Entitlements.isEntitled(mgmt().getEntitlementManager(), Entitlements.DEPLOY_APPLICATION,
spec)) {
-            throw WebResourceUtils.unauthorized("User '%s' is not authorized to start application
%s",
+            throw WebResourceUtils.forbidden("User '%s' is not authorized to start application
%s",
                 Entitlements.getEntitlementContext().user(), yaml);
         }
 
@@ -300,7 +300,7 @@ public class ApplicationResource extends AbstractBrooklynRestResource
implements
                     EntityAndItem.of(app, StringAndArgument.of(Startable.START.getName(),
null)));
 
             if (!isEntitled) {
-                throw WebResourceUtils.unauthorized("User '%s' is not authorized to start
application %s",
+                throw WebResourceUtils.forbidden("User '%s' is not authorized to start application
%s",
                     Entitlements.getEntitlementContext().user(), spec.getType());
             }
 
@@ -363,7 +363,7 @@ public class ApplicationResource extends AbstractBrooklynRestResource
implements
         Application app = brooklyn().getApplication(application);
         if (!Entitlements.isEntitled(mgmt().getEntitlementManager(), Entitlements.INVOKE_EFFECTOR,
Entitlements.EntityAndItem.of(app, 
             StringAndArgument.of(Entitlements.LifecycleEffectors.DELETE, null)))) {
-            throw WebResourceUtils.unauthorized("User '%s' is not authorized to delete application
%s",
+            throw WebResourceUtils.forbidden("User '%s' is not authorized to delete application
%s",
                 Entitlements.getEntitlementContext().user(), app);
         }
         Task<?> t = brooklyn().destroy(app);

http://git-wip-us.apache.org/repos/asf/brooklyn-server/blob/f0db35f1/rest/rest-server/src/main/java/org/apache/brooklyn/rest/resources/CatalogResource.java
----------------------------------------------------------------------
diff --git a/rest/rest-server/src/main/java/org/apache/brooklyn/rest/resources/CatalogResource.java
b/rest/rest-server/src/main/java/org/apache/brooklyn/rest/resources/CatalogResource.java
index 82bac22..a26f1a1 100644
--- a/rest/rest-server/src/main/java/org/apache/brooklyn/rest/resources/CatalogResource.java
+++ b/rest/rest-server/src/main/java/org/apache/brooklyn/rest/resources/CatalogResource.java
@@ -105,7 +105,7 @@ public class CatalogResource extends AbstractBrooklynRestResource implements
Cat
     @Override
     public Response create(String yaml) {
         if (!Entitlements.isEntitled(mgmt().getEntitlementManager(), Entitlements.ADD_CATALOG_ITEM,
yaml)) {
-            throw WebResourceUtils.unauthorized("User '%s' is not authorized to add catalog
item",
+            throw WebResourceUtils.forbidden("User '%s' is not authorized to add catalog
item",
                 Entitlements.getEntitlementContext().user());
         }
         
@@ -139,7 +139,7 @@ public class CatalogResource extends AbstractBrooklynRestResource implements
Cat
     public Response resetXml(String xml, boolean ignoreErrors) {
         if (!Entitlements.isEntitled(mgmt().getEntitlementManager(), Entitlements.MODIFY_CATALOG_ITEM,
null) ||
             !Entitlements.isEntitled(mgmt().getEntitlementManager(), Entitlements.ADD_CATALOG_ITEM,
null)) {
-            throw WebResourceUtils.unauthorized("User '%s' is not authorized to modify catalog",
+            throw WebResourceUtils.forbidden("User '%s' is not authorized to modify catalog",
                 Entitlements.getEntitlementContext().user());
         }
 
@@ -151,7 +151,7 @@ public class CatalogResource extends AbstractBrooklynRestResource implements
Cat
     @Deprecated
     public void deleteEntity(String entityId) throws Exception {
         if (!Entitlements.isEntitled(mgmt().getEntitlementManager(), Entitlements.MODIFY_CATALOG_ITEM,
StringAndArgument.of(entityId, "delete"))) {
-            throw WebResourceUtils.unauthorized("User '%s' is not authorized to modify catalog",
+            throw WebResourceUtils.forbidden("User '%s' is not authorized to modify catalog",
                 Entitlements.getEntitlementContext().user());
         }
         try {
@@ -180,7 +180,7 @@ public class CatalogResource extends AbstractBrooklynRestResource implements
Cat
     @Override
     public void deleteEntity(String symbolicName, String version) throws Exception {
         if (!Entitlements.isEntitled(mgmt().getEntitlementManager(), Entitlements.MODIFY_CATALOG_ITEM,
StringAndArgument.of(symbolicName+(Strings.isBlank(version) ? "" : ":"+version), "delete")))
{
-            throw WebResourceUtils.unauthorized("User '%s' is not authorized to modify catalog",
+            throw WebResourceUtils.forbidden("User '%s' is not authorized to modify catalog",
                 Entitlements.getEntitlementContext().user());
         }
         
@@ -197,7 +197,7 @@ public class CatalogResource extends AbstractBrooklynRestResource implements
Cat
     @Override
     public void deletePolicy(String policyId, String version) throws Exception {
         if (!Entitlements.isEntitled(mgmt().getEntitlementManager(), Entitlements.MODIFY_CATALOG_ITEM,
StringAndArgument.of(policyId+(Strings.isBlank(version) ? "" : ":"+version), "delete"))) {
-            throw WebResourceUtils.unauthorized("User '%s' is not authorized to modify catalog",
+            throw WebResourceUtils.forbidden("User '%s' is not authorized to modify catalog",
                 Entitlements.getEntitlementContext().user());
         }
         
@@ -214,7 +214,7 @@ public class CatalogResource extends AbstractBrooklynRestResource implements
Cat
     @Override
     public void deleteLocation(String locationId, String version) throws Exception {
         if (!Entitlements.isEntitled(mgmt().getEntitlementManager(), Entitlements.MODIFY_CATALOG_ITEM,
StringAndArgument.of(locationId+(Strings.isBlank(version) ? "" : ":"+version), "delete")))
{
-            throw WebResourceUtils.unauthorized("User '%s' is not authorized to modify catalog",
+            throw WebResourceUtils.forbidden("User '%s' is not authorized to modify catalog",
                 Entitlements.getEntitlementContext().user());
         }
         
@@ -253,7 +253,7 @@ public class CatalogResource extends AbstractBrooklynRestResource implements
Cat
     @Deprecated
     public CatalogEntitySummary getEntity(String entityId) {
         if (!Entitlements.isEntitled(mgmt().getEntitlementManager(), Entitlements.SEE_CATALOG_ITEM,
entityId)) {
-            throw WebResourceUtils.unauthorized("User '%s' is not authorized to see catalog
entry",
+            throw WebResourceUtils.forbidden("User '%s' is not authorized to see catalog
entry",
                 Entitlements.getEntitlementContext().user());
         }
 
@@ -270,7 +270,7 @@ public class CatalogResource extends AbstractBrooklynRestResource implements
Cat
     @Override
     public CatalogEntitySummary getEntity(String symbolicName, String version) {
         if (!Entitlements.isEntitled(mgmt().getEntitlementManager(), Entitlements.SEE_CATALOG_ITEM,
symbolicName+(Strings.isBlank(version)?"":":"+version))) {
-            throw WebResourceUtils.unauthorized("User '%s' is not authorized to see catalog
entry",
+            throw WebResourceUtils.forbidden("User '%s' is not authorized to see catalog
entry",
                 Entitlements.getEntitlementContext().user());
         }
 
@@ -312,7 +312,7 @@ public class CatalogResource extends AbstractBrooklynRestResource implements
Cat
     @Deprecated
     public CatalogPolicySummary getPolicy(String policyId) {
         if (!Entitlements.isEntitled(mgmt().getEntitlementManager(), Entitlements.SEE_CATALOG_ITEM,
policyId)) {
-            throw WebResourceUtils.unauthorized("User '%s' is not authorized to see catalog
entry",
+            throw WebResourceUtils.forbidden("User '%s' is not authorized to see catalog
entry",
                 Entitlements.getEntitlementContext().user());
         }
 
@@ -329,7 +329,7 @@ public class CatalogResource extends AbstractBrooklynRestResource implements
Cat
     @Override
     public CatalogPolicySummary getPolicy(String policyId, String version) throws Exception
{
         if (!Entitlements.isEntitled(mgmt().getEntitlementManager(), Entitlements.SEE_CATALOG_ITEM,
policyId+(Strings.isBlank(version)?"":":"+version))) {
-            throw WebResourceUtils.unauthorized("User '%s' is not authorized to see catalog
entry",
+            throw WebResourceUtils.forbidden("User '%s' is not authorized to see catalog
entry",
                 Entitlements.getEntitlementContext().user());
         }
 
@@ -358,7 +358,7 @@ public class CatalogResource extends AbstractBrooklynRestResource implements
Cat
     @Deprecated
     public CatalogLocationSummary getLocation(String locationId) {
         if (!Entitlements.isEntitled(mgmt().getEntitlementManager(), Entitlements.SEE_CATALOG_ITEM,
locationId)) {
-            throw WebResourceUtils.unauthorized("User '%s' is not authorized to see catalog
entry",
+            throw WebResourceUtils.forbidden("User '%s' is not authorized to see catalog
entry",
                 Entitlements.getEntitlementContext().user());
         }
 
@@ -375,7 +375,7 @@ public class CatalogResource extends AbstractBrooklynRestResource implements
Cat
     @Override
     public CatalogLocationSummary getLocation(String locationId, String version) throws Exception
{
         if (!Entitlements.isEntitled(mgmt().getEntitlementManager(), Entitlements.SEE_CATALOG_ITEM,
locationId+(Strings.isBlank(version)?"":":"+version))) {
-            throw WebResourceUtils.unauthorized("User '%s' is not authorized to see catalog
entry",
+            throw WebResourceUtils.forbidden("User '%s' is not authorized to see catalog
entry",
                 Entitlements.getEntitlementContext().user());
         }
 
@@ -414,7 +414,7 @@ public class CatalogResource extends AbstractBrooklynRestResource implements
Cat
     @Deprecated
     public Response getIcon(String itemId) {
         if (!Entitlements.isEntitled(mgmt().getEntitlementManager(), Entitlements.SEE_CATALOG_ITEM,
itemId)) {
-            throw WebResourceUtils.unauthorized("User '%s' is not authorized to see catalog
entry",
+            throw WebResourceUtils.forbidden("User '%s' is not authorized to see catalog
entry",
                 Entitlements.getEntitlementContext().user());
         }
 
@@ -424,7 +424,7 @@ public class CatalogResource extends AbstractBrooklynRestResource implements
Cat
     @Override
     public Response getIcon(String itemId, String version) {
         if (!Entitlements.isEntitled(mgmt().getEntitlementManager(), Entitlements.SEE_CATALOG_ITEM,
itemId+(Strings.isBlank(version)?"":":"+version))) {
-            throw WebResourceUtils.unauthorized("User '%s' is not authorized to see catalog
entry",
+            throw WebResourceUtils.forbidden("User '%s' is not authorized to see catalog
entry",
                 Entitlements.getEntitlementContext().user());
         }
         
@@ -442,7 +442,7 @@ public class CatalogResource extends AbstractBrooklynRestResource implements
Cat
     @Override
     public void setDeprecated(String itemId, boolean deprecated) {
         if (!Entitlements.isEntitled(mgmt().getEntitlementManager(), Entitlements.MODIFY_CATALOG_ITEM,
StringAndArgument.of(itemId, "deprecated"))) {
-            throw WebResourceUtils.unauthorized("User '%s' is not authorized to modify catalog",
+            throw WebResourceUtils.forbidden("User '%s' is not authorized to modify catalog",
                     Entitlements.getEntitlementContext().user());
         }
         CatalogUtils.setDeprecated(mgmt(), itemId, deprecated);
@@ -452,7 +452,7 @@ public class CatalogResource extends AbstractBrooklynRestResource implements
Cat
     @Override
     public void setDisabled(String itemId, boolean disabled) {
         if (!Entitlements.isEntitled(mgmt().getEntitlementManager(), Entitlements.MODIFY_CATALOG_ITEM,
StringAndArgument.of(itemId, "disabled"))) {
-            throw WebResourceUtils.unauthorized("User '%s' is not authorized to modify catalog",
+            throw WebResourceUtils.forbidden("User '%s' is not authorized to modify catalog",
                     Entitlements.getEntitlementContext().user());
         }
         CatalogUtils.setDisabled(mgmt(), itemId, disabled);

http://git-wip-us.apache.org/repos/asf/brooklyn-server/blob/f0db35f1/rest/rest-server/src/main/java/org/apache/brooklyn/rest/resources/EffectorResource.java
----------------------------------------------------------------------
diff --git a/rest/rest-server/src/main/java/org/apache/brooklyn/rest/resources/EffectorResource.java
b/rest/rest-server/src/main/java/org/apache/brooklyn/rest/resources/EffectorResource.java
index 4110d47..710e2de 100644
--- a/rest/rest-server/src/main/java/org/apache/brooklyn/rest/resources/EffectorResource.java
+++ b/rest/rest-server/src/main/java/org/apache/brooklyn/rest/resources/EffectorResource.java
@@ -86,7 +86,7 @@ public class EffectorResource extends AbstractBrooklynRestResource implements
Ef
             throw WebResourceUtils.notFound("Entity '%s' has no effector with name '%s'",
entityToken, effectorName);
         } else if (!Entitlements.isEntitled(mgmt().getEntitlementManager(), Entitlements.INVOKE_EFFECTOR,
                 Entitlements.EntityAndItem.of(entity, StringAndArgument.of(effector.get().getName(),
null)))) {
-            throw WebResourceUtils.unauthorized("User '%s' is not authorized to invoke effector
%s on entity %s",
+            throw WebResourceUtils.forbidden("User '%s' is not authorized to invoke effector
%s on entity %s",
                     Entitlements.getEntitlementContext().user(), effector.get().getName(),
entity);
         }
         log.info("REST invocation of " + entity + "." + effector.get() + " " + parameters);

http://git-wip-us.apache.org/repos/asf/brooklyn-server/blob/f0db35f1/rest/rest-server/src/main/java/org/apache/brooklyn/rest/resources/EntityConfigResource.java
----------------------------------------------------------------------
diff --git a/rest/rest-server/src/main/java/org/apache/brooklyn/rest/resources/EntityConfigResource.java
b/rest/rest-server/src/main/java/org/apache/brooklyn/rest/resources/EntityConfigResource.java
index e6dd315..7aaa3f7 100644
--- a/rest/rest-server/src/main/java/org/apache/brooklyn/rest/resources/EntityConfigResource.java
+++ b/rest/rest-server/src/main/java/org/apache/brooklyn/rest/resources/EntityConfigResource.java
@@ -56,7 +56,7 @@ public class EntityConfigResource extends AbstractBrooklynRestResource implement
     public List<EntityConfigSummary> list(final String application, final String entityToken)
{
         final Entity entity = brooklyn().getEntity(application, entityToken);
         if (!Entitlements.isEntitled(mgmt().getEntitlementManager(), Entitlements.SEE_ENTITY,
entity)) {
-            throw WebResourceUtils.unauthorized("User '%s' is not authorized to see entity
'%s'",
+            throw WebResourceUtils.forbidden("User '%s' is not authorized to see entity '%s'",
                     Entitlements.getEntitlementContext().user(), entity);
         }
 
@@ -84,7 +84,7 @@ public class EntityConfigResource extends AbstractBrooklynRestResource implement
         // TODO: add test
         Entity entity = brooklyn().getEntity(application, entityToken);
         if (!Entitlements.isEntitled(mgmt().getEntitlementManager(), Entitlements.SEE_ENTITY,
entity)) {
-            throw WebResourceUtils.unauthorized("User '%s' is not authorized to see entity
'%s'",
+            throw WebResourceUtils.forbidden("User '%s' is not authorized to see entity '%s'",
                     Entitlements.getEntitlementContext().user(), entity);
         }
 
@@ -141,11 +141,11 @@ public class EntityConfigResource extends AbstractBrooklynRestResource
implement
         ConfigKey<?> ck = findConfig(entity, configKeyName);
         
         if (!Entitlements.isEntitled(mgmt().getEntitlementManager(), Entitlements.SEE_ENTITY,
entity)) {
-            throw WebResourceUtils.unauthorized("User '%s' is not authorized to see entity
'%s'",
+            throw WebResourceUtils.forbidden("User '%s' is not authorized to see entity '%s'",
                     Entitlements.getEntitlementContext().user(), entity);
         }
         if (!Entitlements.isEntitled(mgmt().getEntitlementManager(), Entitlements.SEE_CONFIG,
new EntityAndItem<String>(entity, ck.getName()))) {
-            throw WebResourceUtils.unauthorized("User '%s' is not authorized to see entity
'%s' config '%s'",
+            throw WebResourceUtils.forbidden("User '%s' is not authorized to see entity '%s'
config '%s'",
                     Entitlements.getEntitlementContext().user(), entity, ck.getName());
         }
         
@@ -165,7 +165,7 @@ public class EntityConfigResource extends AbstractBrooklynRestResource
implement
     public void setFromMap(String application, String entityToken, Boolean recurse, Map newValues)
{
         final Entity entity = brooklyn().getEntity(application, entityToken);
         if (!Entitlements.isEntitled(mgmt().getEntitlementManager(), Entitlements.MODIFY_ENTITY,
entity)) {
-            throw WebResourceUtils.unauthorized("User '%s' is not authorized to modify entity
'%s'",
+            throw WebResourceUtils.forbidden("User '%s' is not authorized to modify entity
'%s'",
                     Entitlements.getEntitlementContext().user(), entity);
         }
 
@@ -190,7 +190,7 @@ public class EntityConfigResource extends AbstractBrooklynRestResource
implement
     public void set(String application, String entityToken, String configName, Boolean recurse,
Object newValue) {
         final Entity entity = brooklyn().getEntity(application, entityToken);
         if (!Entitlements.isEntitled(mgmt().getEntitlementManager(), Entitlements.MODIFY_ENTITY,
entity)) {
-            throw WebResourceUtils.unauthorized("User '%s' is not authorized to modify entity
'%s'",
+            throw WebResourceUtils.forbidden("User '%s' is not authorized to modify entity
'%s'",
                     Entitlements.getEntitlementContext().user(), entity);
         }
 

http://git-wip-us.apache.org/repos/asf/brooklyn-server/blob/f0db35f1/rest/rest-server/src/main/java/org/apache/brooklyn/rest/resources/EntityResource.java
----------------------------------------------------------------------
diff --git a/rest/rest-server/src/main/java/org/apache/brooklyn/rest/resources/EntityResource.java
b/rest/rest-server/src/main/java/org/apache/brooklyn/rest/resources/EntityResource.java
index 9575236..c4df6d4 100644
--- a/rest/rest-server/src/main/java/org/apache/brooklyn/rest/resources/EntityResource.java
+++ b/rest/rest-server/src/main/java/org/apache/brooklyn/rest/resources/EntityResource.java
@@ -90,7 +90,7 @@ public class EntityResource extends AbstractBrooklynRestResource implements
Enti
         if (Entitlements.isEntitled(mgmt().getEntitlementManager(), Entitlements.SEE_ENTITY,
entity)) {
             return EntityTransformer.entitySummary(entity);
         }
-        throw WebResourceUtils.unauthorized("User '%s' is not authorized to get entity '%s'",
+        throw WebResourceUtils.forbidden("User '%s' is not authorized to get entity '%s'",
                 Entitlements.getEntitlementContext().user(), entity);
     }
 
@@ -113,7 +113,7 @@ public class EntityResource extends AbstractBrooklynRestResource implements
Enti
     public Response addChildren(String applicationToken, String entityToken, Boolean start,
String timeoutS, String yaml) {
         final Entity parent = brooklyn().getEntity(applicationToken, entityToken);
         if (!Entitlements.isEntitled(mgmt().getEntitlementManager(), Entitlements.MODIFY_ENTITY,
parent)) {
-            throw WebResourceUtils.unauthorized("User '%s' is not authorized to modify entity
'%s'",
+            throw WebResourceUtils.forbidden("User '%s' is not authorized to modify entity
'%s'",
                     Entitlements.getEntitlementContext().user(), entityToken);
         }
         CreationResult<List<Entity>, List<String>> added = EntityManagementUtils.addChildren(parent,
yaml, start)

http://git-wip-us.apache.org/repos/asf/brooklyn-server/blob/f0db35f1/rest/rest-server/src/main/java/org/apache/brooklyn/rest/resources/PolicyConfigResource.java
----------------------------------------------------------------------
diff --git a/rest/rest-server/src/main/java/org/apache/brooklyn/rest/resources/PolicyConfigResource.java
b/rest/rest-server/src/main/java/org/apache/brooklyn/rest/resources/PolicyConfigResource.java
index fe28576..fbb13a7 100644
--- a/rest/rest-server/src/main/java/org/apache/brooklyn/rest/resources/PolicyConfigResource.java
+++ b/rest/rest-server/src/main/java/org/apache/brooklyn/rest/resources/PolicyConfigResource.java
@@ -89,7 +89,7 @@ public class PolicyConfigResource extends AbstractBrooklynRestResource implement
     public Response set(String application, String entityToken, String policyToken, String
configKeyName, Object value) {
         Entity entity = brooklyn().getEntity(application, entityToken);
         if (!Entitlements.isEntitled(mgmt().getEntitlementManager(), Entitlements.MODIFY_ENTITY,
entity)) {
-            throw WebResourceUtils.unauthorized("User '%s' is not authorized to modify entity
'%s'",
+            throw WebResourceUtils.forbidden("User '%s' is not authorized to modify entity
'%s'",
                     Entitlements.getEntitlementContext().user(), entity);
         }
 

http://git-wip-us.apache.org/repos/asf/brooklyn-server/blob/f0db35f1/rest/rest-server/src/main/java/org/apache/brooklyn/rest/resources/SensorResource.java
----------------------------------------------------------------------
diff --git a/rest/rest-server/src/main/java/org/apache/brooklyn/rest/resources/SensorResource.java
b/rest/rest-server/src/main/java/org/apache/brooklyn/rest/resources/SensorResource.java
index edb5c7f..2f03196 100644
--- a/rest/rest-server/src/main/java/org/apache/brooklyn/rest/resources/SensorResource.java
+++ b/rest/rest-server/src/main/java/org/apache/brooklyn/rest/resources/SensorResource.java
@@ -53,7 +53,7 @@ public class SensorResource extends AbstractBrooklynRestResource implements
Sens
     public List<SensorSummary> list(final String application, final String entityToken)
{
         final Entity entity = brooklyn().getEntity(application, entityToken);
         if (!Entitlements.isEntitled(mgmt().getEntitlementManager(), Entitlements.SEE_ENTITY,
entity)) {
-            throw WebResourceUtils.unauthorized("User '%s' is not authorized to see entity
'%s'",
+            throw WebResourceUtils.forbidden("User '%s' is not authorized to see entity '%s'",
                     Entitlements.getEntitlementContext().user(), entity);
         }
 
@@ -76,7 +76,7 @@ public class SensorResource extends AbstractBrooklynRestResource implements
Sens
     public Map<String, Object> batchSensorRead(final String application, final String
entityToken, final Boolean raw) {
         final Entity entity = brooklyn().getEntity(application, entityToken);
         if (!Entitlements.isEntitled(mgmt().getEntitlementManager(), Entitlements.SEE_ENTITY,
entity)) {
-            throw WebResourceUtils.unauthorized("User '%s' is not authorized to see entity
'%s'",
+            throw WebResourceUtils.forbidden("User '%s' is not authorized to see entity '%s'",
                     Entitlements.getEntitlementContext().user(), entity);
         }
 
@@ -104,11 +104,11 @@ public class SensorResource extends AbstractBrooklynRestResource implements
Sens
         AttributeSensor<?> sensor = findSensor(entity, sensorName);
         
         if (!Entitlements.isEntitled(mgmt().getEntitlementManager(), Entitlements.SEE_ENTITY,
entity)) {
-            throw WebResourceUtils.unauthorized("User '%s' is not authorized to see entity
'%s'",
+            throw WebResourceUtils.forbidden("User '%s' is not authorized to see entity '%s'",
                     Entitlements.getEntitlementContext().user(), entity);
         }
         if (!Entitlements.isEntitled(mgmt().getEntitlementManager(), Entitlements.SEE_SENSOR,
new EntityAndItem<String>(entity, sensor.getName()))) {
-            throw WebResourceUtils.unauthorized("User '%s' is not authorized to see entity
'%s' sensor '%s'",
+            throw WebResourceUtils.forbidden("User '%s' is not authorized to see entity '%s'
sensor '%s'",
                     Entitlements.getEntitlementContext().user(), entity, sensor.getName());
         }
         
@@ -137,7 +137,7 @@ public class SensorResource extends AbstractBrooklynRestResource implements
Sens
     public void setFromMap(String application, String entityToken, Map newValues) {
         final Entity entity = brooklyn().getEntity(application, entityToken);
         if (!Entitlements.isEntitled(mgmt().getEntitlementManager(), Entitlements.MODIFY_ENTITY,
entity)) {
-            throw WebResourceUtils.unauthorized("User '%s' is not authorized to modify entity
'%s'",
+            throw WebResourceUtils.forbidden("User '%s' is not authorized to modify entity
'%s'",
                 Entitlements.getEntitlementContext().user(), entity);
         }
 
@@ -157,7 +157,7 @@ public class SensorResource extends AbstractBrooklynRestResource implements
Sens
     public void set(String application, String entityToken, String sensorName, Object newValue)
{
         final Entity entity = brooklyn().getEntity(application, entityToken);
         if (!Entitlements.isEntitled(mgmt().getEntitlementManager(), Entitlements.MODIFY_ENTITY,
entity)) {
-            throw WebResourceUtils.unauthorized("User '%s' is not authorized to modify entity
'%s'",
+            throw WebResourceUtils.forbidden("User '%s' is not authorized to modify entity
'%s'",
                 Entitlements.getEntitlementContext().user(), entity);
         }
         
@@ -171,7 +171,7 @@ public class SensorResource extends AbstractBrooklynRestResource implements
Sens
     public void delete(String application, String entityToken, String sensorName) {
         final Entity entity = brooklyn().getEntity(application, entityToken);
         if (!Entitlements.isEntitled(mgmt().getEntitlementManager(), Entitlements.MODIFY_ENTITY,
entity)) {
-            throw WebResourceUtils.unauthorized("User '%s' is not authorized to modify entity
'%s'",
+            throw WebResourceUtils.forbidden("User '%s' is not authorized to modify entity
'%s'",
                 Entitlements.getEntitlementContext().user(), entity);
         }
         

http://git-wip-us.apache.org/repos/asf/brooklyn-server/blob/f0db35f1/rest/rest-server/src/main/java/org/apache/brooklyn/rest/resources/ServerResource.java
----------------------------------------------------------------------
diff --git a/rest/rest-server/src/main/java/org/apache/brooklyn/rest/resources/ServerResource.java
b/rest/rest-server/src/main/java/org/apache/brooklyn/rest/resources/ServerResource.java
index c029bd3..426870d 100644
--- a/rest/rest-server/src/main/java/org/apache/brooklyn/rest/resources/ServerResource.java
+++ b/rest/rest-server/src/main/java/org/apache/brooklyn/rest/resources/ServerResource.java
@@ -108,7 +108,7 @@ public class ServerResource extends AbstractBrooklynRestResource implements
Serv
             Long delayMillis) {
         
         if (!Entitlements.isEntitled(mgmt().getEntitlementManager(), Entitlements.SEE_ALL_SERVER_INFO,
null))
-            throw WebResourceUtils.unauthorized("User '%s' is not authorized for this operation",
Entitlements.getEntitlementContext().user());
+            throw WebResourceUtils.forbidden("User '%s' is not authorized for this operation",
Entitlements.getEntitlementContext().user());
         
         log.info("REST call to shutdown server, stopAppsFirst="+stopAppsFirst+", delayForHttpReturn="+shutdownTimeoutRaw);
 
@@ -311,7 +311,7 @@ public class ServerResource extends AbstractBrooklynRestResource implements
Serv
     @Override
     public VersionSummary getVersion() {
         if (!Entitlements.isEntitled(mgmt().getEntitlementManager(), Entitlements.SERVER_STATUS,
null))
-            throw WebResourceUtils.unauthorized("User '%s' is not authorized for this operation",
Entitlements.getEntitlementContext().user());
+            throw WebResourceUtils.forbidden("User '%s' is not authorized for this operation",
Entitlements.getEntitlementContext().user());
         
         // TODO
         // * "build-metadata.properties" is probably the wrong name
@@ -338,7 +338,7 @@ public class ServerResource extends AbstractBrooklynRestResource implements
Serv
     @Override
     public boolean isUp() {
         if (!Entitlements.isEntitled(mgmt().getEntitlementManager(), Entitlements.SERVER_STATUS,
null))
-            throw WebResourceUtils.unauthorized("User '%s' is not authorized for this operation",
Entitlements.getEntitlementContext().user());
+            throw WebResourceUtils.forbidden("User '%s' is not authorized for this operation",
Entitlements.getEntitlementContext().user());
 
         Maybe<ManagementContext> mm = mgmtMaybe();
         return !mm.isAbsent() && mm.get().isStartupComplete() && mm.get().isRunning();
@@ -347,7 +347,7 @@ public class ServerResource extends AbstractBrooklynRestResource implements
Serv
     @Override
     public boolean isShuttingDown() {
         if (!Entitlements.isEntitled(mgmt().getEntitlementManager(), Entitlements.SERVER_STATUS,
null))
-            throw WebResourceUtils.unauthorized("User '%s' is not authorized for this operation",
Entitlements.getEntitlementContext().user());
+            throw WebResourceUtils.forbidden("User '%s' is not authorized for this operation",
Entitlements.getEntitlementContext().user());
         Maybe<ManagementContext> mm = mgmtMaybe();
         return !mm.isAbsent() && mm.get().isStartupComplete() && !mm.get().isRunning();
     }
@@ -376,7 +376,7 @@ public class ServerResource extends AbstractBrooklynRestResource implements
Serv
     @Override
     public String getConfig(String configKey) {
         if (!Entitlements.isEntitled(mgmt().getEntitlementManager(), Entitlements.SEE_ALL_SERVER_INFO,
null)) {
-            throw WebResourceUtils.unauthorized("User '%s' is not authorized for this operation",
Entitlements.getEntitlementContext().user());
+            throw WebResourceUtils.forbidden("User '%s' is not authorized for this operation",
Entitlements.getEntitlementContext().user());
         }
         ConfigKey<String> config = ConfigKeys.newStringConfigKey(configKey);
         return mgmt().getConfig().getConfig(config);
@@ -391,7 +391,7 @@ public class ServerResource extends AbstractBrooklynRestResource implements
Serv
     @Override
     public ManagementNodeState getHighAvailabilityNodeState() {
         if (!Entitlements.isEntitled(mgmt().getEntitlementManager(), Entitlements.SERVER_STATUS,
null))
-            throw WebResourceUtils.unauthorized("User '%s' is not authorized for this operation",
Entitlements.getEntitlementContext().user());
+            throw WebResourceUtils.forbidden("User '%s' is not authorized for this operation",
Entitlements.getEntitlementContext().user());
         
         Maybe<ManagementContext> mm = mgmtMaybe();
         if (mm.isAbsent()) return ManagementNodeState.INITIALIZING;
@@ -430,7 +430,7 @@ public class ServerResource extends AbstractBrooklynRestResource implements
Serv
     @Override
     public HighAvailabilitySummary getHighAvailabilityPlaneStates() {
         if (!Entitlements.isEntitled(mgmt().getEntitlementManager(), Entitlements.SERVER_STATUS,
null))
-            throw WebResourceUtils.unauthorized("User '%s' is not authorized for this operation",
Entitlements.getEntitlementContext().user());
+            throw WebResourceUtils.forbidden("User '%s' is not authorized for this operation",
Entitlements.getEntitlementContext().user());
         ManagementPlaneSyncRecord memento = mgmt().getHighAvailabilityManager().getLastManagementPlaneSyncRecord();
         if (memento==null) memento = mgmt().getHighAvailabilityManager().loadManagementPlaneSyncRecord(true);
         if (memento==null) return null;
@@ -460,7 +460,7 @@ public class ServerResource extends AbstractBrooklynRestResource implements
Serv
     
     protected Response exportPersistenceData(MementoCopyMode preferredOrigin) {
         if (!Entitlements.isEntitled(mgmt().getEntitlementManager(), Entitlements.SEE_ALL_SERVER_INFO,
null))
-            throw WebResourceUtils.unauthorized("User '%s' is not authorized for this operation",
Entitlements.getEntitlementContext().user());
+            throw WebResourceUtils.forbidden("User '%s' is not authorized for this operation",
Entitlements.getEntitlementContext().user());
 
         File dir = null;
         try {

http://git-wip-us.apache.org/repos/asf/brooklyn-server/blob/f0db35f1/rest/rest-server/src/main/java/org/apache/brooklyn/rest/util/BrooklynRestResourceUtils.java
----------------------------------------------------------------------
diff --git a/rest/rest-server/src/main/java/org/apache/brooklyn/rest/util/BrooklynRestResourceUtils.java
b/rest/rest-server/src/main/java/org/apache/brooklyn/rest/util/BrooklynRestResourceUtils.java
index 1b9aa77..829b7cb 100644
--- a/rest/rest-server/src/main/java/org/apache/brooklyn/rest/util/BrooklynRestResourceUtils.java
+++ b/rest/rest-server/src/main/java/org/apache/brooklyn/rest/util/BrooklynRestResourceUtils.java
@@ -307,7 +307,7 @@ public class BrooklynRestResourceUtils {
         log.debug("REST creating application instance for {}", spec);
         
         if (!Entitlements.isEntitled(mgmt.getEntitlementManager(), Entitlements.DEPLOY_APPLICATION,
spec)) {
-            throw WebResourceUtils.unauthorized("User '%s' is not authorized to deploy application
%s",
+            throw WebResourceUtils.forbidden("User '%s' is not authorized to deploy application
%s",
                 Entitlements.getEntitlementContext().user(), spec);
         }
         
@@ -327,7 +327,7 @@ public class BrooklynRestResourceUtils {
         }
         
         if (!Entitlements.isEntitled(mgmt.getEntitlementManager(), Entitlements.INVOKE_EFFECTOR,
null)) {
-            throw WebResourceUtils.unauthorized("User '%s' is not authorized to create application
from applicationSpec %s",
+            throw WebResourceUtils.forbidden("User '%s' is not authorized to create application
from applicationSpec %s",
                 Entitlements.getEntitlementContext().user(), spec);
         }
 
@@ -525,7 +525,7 @@ public class BrooklynRestResourceUtils {
                         }
                     });
         }
-        throw WebResourceUtils.unauthorized("User '%s' is not authorized to expunge entity
%s",
+        throw WebResourceUtils.forbidden("User '%s' is not authorized to expunge entity %s",
                     Entitlements.getEntitlementContext().user(), entity);
     }
 

http://git-wip-us.apache.org/repos/asf/brooklyn-server/blob/f0db35f1/rest/rest-server/src/test/java/org/apache/brooklyn/rest/entitlement/AbstractRestApiEntitlementsTest.java
----------------------------------------------------------------------
diff --git a/rest/rest-server/src/test/java/org/apache/brooklyn/rest/entitlement/AbstractRestApiEntitlementsTest.java
b/rest/rest-server/src/test/java/org/apache/brooklyn/rest/entitlement/AbstractRestApiEntitlementsTest.java
index c851b48..73449ea 100644
--- a/rest/rest-server/src/test/java/org/apache/brooklyn/rest/entitlement/AbstractRestApiEntitlementsTest.java
+++ b/rest/rest-server/src/test/java/org/apache/brooklyn/rest/entitlement/AbstractRestApiEntitlementsTest.java
@@ -101,7 +101,7 @@ public abstract class AbstractRestApiEntitlementsTest extends BrooklynRestApiLau
 
     protected void assertForbidden(String user, String path) throws Exception {
         HttpToolResponse response = HttpTool.httpGet(newClient(user), URI.create(getBaseUri()).resolve(path),
ImmutableMap.<String, String>of());
-        assertEquals(response.getResponseCode(), 401, "code="+response.getResponseCode()+";
reason="+response.getReasonPhrase()+"; content="+response.getContentAsString());
+        assertEquals(response.getResponseCode(), 403, "code="+response.getResponseCode()+";
reason="+response.getReasonPhrase()+"; content="+response.getContentAsString());
     }
 
     protected void assert404(String user, String path) throws Exception {


Mime
View raw message