"shane.bryzak(a)jboss.com" wrote : If you're invoking a restricted method and
the credentials are set (which is what the AuthenticationFilter does) then a silent login
will automatically occur, with no need to explicitly call Identity.authenticate(). Digest
authentication is a special case, with a special type of authenticator. You have to keep
in mind that the request may be for an unsecured resource, for which authentication may
not be required. If that is the case then you don't want to be prompting the user for
their username and password.
I wasn't able to find any code to support your claim so far.
First of all, the AuthenticationFilter is only invoked when its urlPattern matches the
requested resource. This is done in the SeamFilter$FilterChainImpl inner class:
| if (filter instanceof AbstractFilter)
| {
| AbstractFilter bf = (AbstractFilter) filter;
|
| if ( bf.isMappedToCurrentRequestPath(request) )
| {
| filter.doFilter(request, response, this);
| }
|
| else
| {
| this.doFilter(request, response);
| }
| }
|
|
Therefore, it will not be used if the resource requested is not a protected one.
Secondly, I'd like to see you pointing out to me where the "silent login"
happens. So far with my own research, the JAAS login() is triggered via the
Identity.authenticate() call. This is not a automatic process, it needs to be invoked from
somewhere and it is not done with the current code if it is BASIC authentication.
I have to question that if you have done any testing on this, or even look it up in your
code before making your claim. I have put in the identity fix myself and tried it out
before posting my workaround, and my test confirmed that without the 2nd fix I mentioned,
the authentication does not "silently" happen. You end up keep getting
username/password prompt from the client browser.
View the original post :
http://www.jboss.com/index.html?module=bb&op=viewtopic&p=4125357#...
Reply to the post :
http://www.jboss.com/index.html?module=bb&op=posting&mode=reply&a...