[undertow-dev] Unprotected areas still trigger auth
Bill Burke
bburke at redhat.com
Fri Nov 15 08:09:20 EST 2013
On 11/15/2013 8:04 AM, Darran Lofthouse wrote:
> On 15/11/13 12:59, Bill Burke wrote:
>> sendChallenge is still called.
>
> That should only be happening if the mechanisms indicated during the
> authenticate step that it wanted a challenge to be sent.
>
What is the indication? Sending back NOT_AUTHENTICATED?
> As an example the DIGEST mechanism may want to do this if it receives a
> stale nonce.
> 4
The problem is my oauth mechanism has no way to know if there is another
mechanism or if the request is even supposed to be authenticated. If
there is not appropriate information in the request, it sends back
NOT_AUTHENTICATED and performs a redirect to the auth server in
sendChallenge.
Maybe I'm just using the SPI wrong. I'll take a look at Basic auth again.
Bill
--
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com
More information about the undertow-dev
mailing list