On 15/11/13 12:59, Bill Burke wrote:
sendChallenge is still called.
That should only be happening if the mechanisms indicated during the
authenticate step that it wanted a challenge to be sent.
As an example the DIGEST mechanism may want to do this if it receives a
stale nonce.
On 11/15/2013 3:15 AM, Stuart Douglas wrote:
> This is by design. Basically authenticate() will always be called, but
sendChallenge() will only be called if authentication is actually required, or if the user
supplied credentials that were actually invalid.
>
> Basically the thinking is that is is better to authenticate, so if you are logging
requests or whatever you can see who is actually performing them.
>
> Is this causing you problems? Originally we had a way to disable this behaviour, but
it seems to have been lost along the way.
>
> Stuart
>
> ----- Original Message -----
>> From: "Bill Burke" <bburke(a)redhat.com>
>> To: undertow-dev(a)lists.jboss.org
>> Sent: Thursday, 14 November, 2013 6:34:58 PM
>> Subject: [undertow-dev] Unprotected areas still trigger auth
>>
>> Accessing an unprotected area triggers our custom
>> AuthenticationMechanism. Is this by design or by spec mandate? Or a bug?
>>
>>
>> --
>> Bill Burke
>> JBoss, a division of Red Hat
>>
http://bill.burkecentral.com
>> _______________________________________________
>> undertow-dev mailing list
>> undertow-dev(a)lists.jboss.org
>>
https://lists.jboss.org/mailman/listinfo/undertow-dev
>>