我尚未测试您的代码，但看起来您的回复是403，表示禁止".也就是说，当前登录的用户没有访问此资源的权限.

I haven't tested your code, but it looks like your replying with a 403 which means "forbidden". I.e., the currently logged in user does not have permissions to access this resource.

从RFC( http://www.w3.org/Protocols/rfc2616/rfc2616-sec10.html )

服务器理解了该请求，但拒绝执行该请求.授权将无济于事，并且不应重复该请求.如果请求方法不是HEAD，并且服务器希望公开为什么未满足请求，则应在实体中描述拒绝原因.如果服务器不希望将此信息提供给客户端，则可以使用状态代码404(未找到)代替.

The server understood the request, but is refusing to fulfill it. Authorization will not help and the request SHOULD NOT be repeated. If the request method was not HEAD and the server wishes to make public why the request has not been fulfilled, it SHOULD describe the reason for the refusal in the entity. If the server does not wish to make this information available to the client, the status code 404 (Not Found) can be used instead.

相反，您需要使用401，并且仅当当前登录的用户无法访问资源时才用403答复.

Instead, you need to use a 401, and only reply with a 403 ONLY if the currently logged in user cannot access the resource.