[undertow-dev] Unprotected areas still trigger auth
Darran Lofthouse
darran.lofthouse at jboss.com
Fri Nov 15 07:05:06 EST 2013
On 15/11/13 08:15, Stuart Douglas wrote:
> This is by design. Basically authenticate() will always be called, but sendChallenge() will only be called if authentication is actually required, or if the user supplied credentials that were actually invalid.
>
> Basically the thinking is that is is better to authenticate, so if you are logging requests or whatever you can see who is actually performing them.
>
> Is this causing you problems? Originally we had a way to disable this behaviour, but it seems to have been lost along the way.
The option should still be there although we may not be exposing it.
Just finishing off some CLI tasks and I am hoping my next task will be
to complete the authentication mechanism config that I discussed of
various lists quite a while back now.
This option should be a part of that.
>
> Stuart
>
> ----- Original Message -----
>> From: "Bill Burke" <bburke at redhat.com>
>> To: undertow-dev at lists.jboss.org
>> Sent: Thursday, 14 November, 2013 6:34:58 PM
>> Subject: [undertow-dev] Unprotected areas still trigger auth
>>
>> Accessing an unprotected area triggers our custom
>> AuthenticationMechanism. Is this by design or by spec mandate? Or a bug?
>>
>>
>> --
>> Bill Burke
>> JBoss, a division of Red Hat
>> http://bill.burkecentral.com
>> _______________________________________________
>> undertow-dev mailing list
>> undertow-dev at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/undertow-dev
>>
> _______________________________________________
> undertow-dev mailing list
> undertow-dev at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/undertow-dev
>
More information about the undertow-dev
mailing list