The docs say:
Handling Authorization Result
When authorization fails, i.e., the user is not allowed to perform the specied action, one of the following two scenarios may happen:
-
If the user is not logged in and if the loginUrl property of the user component is congured to be the URL of the login page, the browser will be redirected to that page.
-
Otherwise an HTTP exception will be displayed with error code 403.
To the first bullet should be added that the default is ‘site/login’. Most folk would assume that it is unset (i.e.null). I did and wasted time trying to understand why I wasn’t receiving the expected 403.