Not 100% sure what you mean, but the response I am getting in my tests looks like this:
ACCESS DENIED RESPONSE (happens on the linux box but never on my mac):
[Client to server] PUT /rest/tpos2/incoming/GoodFile.xml HTTP/1.1
... stuff cut out for brevity ...
[Server to client] HTTP/1.1 100 Continue
[Server to client] HTTP/1.1 403 Forbidden
ACCESS ALLOWED RESPONSE (always on my mac, only with correct auth credentials on the linux box):
[Client to server] PUT /rest/tpos/incoming/ab/GoodFile.xml HTTP/1.1
... stuff cut out for brevity ...
[Server to client] HTTP/1.1 100 Continue
[Server to client] HTTP/1.1 400 Bad Request
Note that the Bad request response is just because I was sending invalid content and the web app / web service correctly rejected it.
But basically Glassfish should be returning 403 when the specified user or group is not valid. It does so on the linux box I am testing this on, but never on my Mac.
[Message sent by forum member 'hordurth' (hordurth)]
http://forums.java.net/jive/thread.jspa?messageID=361606