Repository exceptions such as UnauthorizedException will bubble up to the end, and be displayed as such instead of showing the login screen.

The reasons are multiple.

1. The Core\ExceptionListener from the Bundle has a priority of -90, while the one from the Firewall Sf component has 0. Ours translates the repository exception after the firewall has checked if it should display the login screen.

2. The Core\ExceptionListener translates API\UnauthorizedException into an HttpKernel\AccessDeniedException. As it turns out, that one does NOT implement Security\AccessDeniedException, meaning that the Firewall exception listener still doesn't see it.

I see two solutions:
a) Translate the exception to a new eZ\Publish\Core\Base\Exceptions\AccessDeniedHttpException that implements both HttpKernel\HttpException and Security\AccessDeniedException
b) Translate the exception to an Security\AccessDeniedException directly. As far as I can tell, the Security listener will correctly handle the HTTP codes, both for authenticated and unauthenticated users.

Maybe a makes more sense.