[undertow-dev] Unprotected areas still trigger auth
Bill Burke
bburke at redhat.com
Fri Nov 15 10:27:29 EST 2013
On 11/15/2013 8:14 AM, Darran Lofthouse wrote:
> If the required tokens were not within the message then the mechanism
> should return NOT_ATTEMPTED.
>
> If there are multiple mechanisms (or even a single mechanism) and
> authentication is required but all the mechanisms return NOT_ATTEMPTED
> then Undertow will take the decision to turn the request around and call
> sendChallenge on each of them.
>
> NOT_AUTHENTICATED means the mechanism saw 'something' in the incomming
> requets and attempted to authenticate it but for some reason failed so
> the message flow needs reversing and the challenges sending. This could
> happen as an example if stale nonce is received in DIGEST.
>
Awesome. I misinterpreted how to pass back Outcomes. Returning
NOT_ATTEMPTED at the appropriate time seemed to fix this problem. I'll
close the JIRA.
THanks,
Bill
--
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com
More information about the undertow-dev
mailing list