Hi,
On Mon, Dec 22, 2014 at 10:03 PM, Bill Burke <bburke(a)redhat.com> wrote:
Nevermind...You need this to queue up challenges just in case
ServletRequest.authenticate() is invoked.
I don't know Keycloak, but in general it's not so strange that an auth
mechanism is called for unsecured resources. More than a few security
systems do this.
The reason is not just to support ServletRequest.authenticate(), but
also to allow pre-emptive authentication for any resource. Being
authenticated is not something that's only needed for secured
resources; public resources can for instance show extra options when
authenticated.
Kind regards,
Arjan Tijms
On 12/22/2014 10:34 AM, Bill Burke wrote:
> A user is reporting that our Keycloak AuthMechanism is being called even
> with unsecured resources. They have constraints defined in web.xml, but
> if the constraint is unmatched (unsecure) the mechanism is still called.
>
> Why is the auth mechanism called for unsecure resources?
>
--
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com
_______________________________________________
undertow-dev mailing list
undertow-dev(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/undertow-dev