401 unauthorized instead of 403 forbidden while authenticated

[daankets]

When an authenticated user is denied access because of an ACL, we receive the error 401 unauthorized. This is not in line with the http specification, that indicates 401 unauthorized is for indicating an authentication issue. 403 forbidden should be used for indicating an authorization issue.
It's also required so that - for example in an AngularJS interceptor - you can differentiate between the need to show an access denied/request access page, instead of showing a login dialog.

[daankets]

Just found this one is resolved by #301 - however not documented as far as I could find out.

Solution: config.json:

{
    "restApiRoot": "/api",
    "host": "0.0.0.0",
    "port": 3000,
    "url": "http://localhost:3000",
    "aclErrorStatus": 403
}

[bajtos]

@crandmck could you please mention this option in the documentation? See #301 for more information.

[crandmck]

I added an entry to the reference table in http://docs.strongloop.com/display/LB/config.json. We should also cover this in http://docs.strongloop.com/display/LB/Authentication+and+authorization but I don't see an obvious place. We're overhauling this area of the docs, in any case.

[floatingLomas]

I would say all the things here: http://docs.strongloop.com/dosearchsite.action?queryString=401

Also possibly here: http://docs.strongloop.com/display/LB/Advanced+topics

PS: Strongloop is awesome.