This is by design. Basically authenticate() will always be called, but sendChallenge()
will only be called if authentication is actually required, or if the user supplied
credentials that were actually invalid.
Basically the thinking is that is is better to authenticate, so if you are logging
requests or whatever you can see who is actually performing them.
Is this causing you problems? Originally we had a way to disable this behaviour, but it
seems to have been lost along the way.
Stuart
----- Original Message -----
From: "Bill Burke" <bburke(a)redhat.com>
To: undertow-dev(a)lists.jboss.org
Sent: Thursday, 14 November, 2013 6:34:58 PM
Subject: [undertow-dev] Unprotected areas still trigger auth
Accessing an unprotected area triggers our custom
AuthenticationMechanism. Is this by design or by spec mandate? Or a bug?
--
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com
_______________________________________________
undertow-dev mailing list
undertow-dev(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/undertow-dev