[undertow-dev] Unprotected areas still trigger auth

[Darran Lofthouse]

On 14/11/13 17:34, Bill Burke wrote:
> Accessing an unprotected area triggers our custom
> AuthenticationMechanism.  Is this by design or by spec mandate?  Or a bug?

Design but it can be disabled, we may still need to expose the option 
however.

There are two reasons for this: -
  1 - Authentication mechanisms based on mechanism specific processes 
once authentication has commenced, e.g. DIGEST where the nonce count is 
incremented on each request or the client or server are signing the request.

  2 - Regular user demand that the authenticated identity is available 
to the web app even when the non secured resources are accessed.

>
>