> At the moment, @RequiresRoles and @RequiresPermissions result in > UnauthorizedExceptions being thrown if the user is not remembered or > authenticated. Should they not be throwing UnauthenticatedExceptions > in this case?
To answer your original question, yes, they should be throwing UnauthenticatedExceptions to indicate there is no identity with which to check. The AnnotationHandler implementations should be using the Subject assertion methods that already exist, which do throw the correct exception. I've created an issue for this here: https://issues.apache.org/jira/browse/SHIRO-146 Cheers, Les
