Currently, both URISecurityFilter and ContentSecurityFilter inadequately set a 403 http status when a user doesn't have access to a given resource. The problem lies in the fact that it doesn't distinguish between anonymous and logged-in access. An anonymous request should most likely end up with a 401 code ("needs authentication"), whereas when the user is already logged in, a more correct return code would be 403 ("not authorized"). While this might lead to some security concerns (one can discover the existence of protected content), it also leads to basic authorization simply not working with some client. Browsers, for example, will only display the auth dialog when receiving a 401, not a 403 - or so it seems, anyway.
If there really are security concerns about this change, it could also be made optional (on/off).