We always authenticate if the credentials are supplied, there is a way to change this in
undertow core by changing the AuthenticationMode from PRO_ACTIVE to CONSTRAINT_DRIVEN,
however I just realised we have not actually added this option to Servlet deployments. I
have added this option to Undertow upstream so 1.2.0 will support it.
Stuart
----- Original Message -----
From: "Bill Burke" <bburke(a)redhat.com>
To: undertow-dev(a)lists.jboss.org
Sent: Tuesday, 23 December, 2014 8:03:42 AM
Subject: Re: [undertow-dev] AuthMechanism called always?
Nevermind...You need this to queue up challenges just in case
ServletRequest.authenticate() is invoked.
On 12/22/2014 10:34 AM, Bill Burke wrote:
> A user is reporting that our Keycloak AuthMechanism is being called even
> with unsecured resources. They have constraints defined in web.xml, but
> if the constraint is unmatched (unsecure) the mechanism is still called.
>
> Why is the auth mechanism called for unsecure resources?
>
--
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com
_______________________________________________
undertow-dev mailing list
undertow-dev(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/undertow-dev