When a user tries to access a resource for which they are not authorized, the default behavior is to indicate that the resource exists but is protected. For example, an anonymous request will result in a request for authentication (401), and a request by an unauthorized authenticated user will simply be denied (403).
You can configure to return a 404 (instead of 403) - Not Found response in these cases by setting Hide Existence of Unauthorized Resources under User Management | Settings in the Administration module.
Alternatively, update the Global Configuration Descriptor to set this parameter globally (for all virtual repositories) or for specific repository:
<security> <hideUnauthorizedResources>false</hideUnauthorizedResources> </security> <virtualRepositories> <virtualRepository> <hideUnauthorizedResources>false</hideUnauthorizedResources> </virtualRepository> </virtualRepositories>