Re: [undertow-dev] Unprotected areas still trigger auth
On 11/15/2013 8:04 AM, Darran Lofthouse wrote:
On 15/11/13 12:59, Bill Burke wrote:
> sendChallenge is still called.
That should only be happening if the mechanisms indicated during the
authenticate step that it wanted a challenge to be sent.
What is the indication? Sending back NOT_AUTHENTICATED?
As an example the DIGEST mechanism may want to do this if it receives
a
stale nonce.
4
The problem is my oauth mechanism has no way to know if there is another
mechanism or if the request is even supposed to be authenticated. If
there is not appropriate information in the request, it sends back
NOT_AUTHENTICATED and performs a redirect to the auth server in
sendChallenge.
Maybe I'm just using the SPI wrong. I'll take a look at Basic auth again.
Bill
--
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com