[undertow-dev] AuthMechanism called always?
arjan tijms
arjan.tijms at gmail.com
Mon Dec 22 16:12:45 EST 2014
Hi,
On Mon, Dec 22, 2014 at 10:03 PM, Bill Burke <bburke at redhat.com> wrote:
> Nevermind...You need this to queue up challenges just in case
> ServletRequest.authenticate() is invoked.
I don't know Keycloak, but in general it's not so strange that an auth
mechanism is called for unsecured resources. More than a few security
systems do this.
The reason is not just to support ServletRequest.authenticate(), but
also to allow pre-emptive authentication for any resource. Being
authenticated is not something that's only needed for secured
resources; public resources can for instance show extra options when
authenticated.
Kind regards,
Arjan Tijms
>
> On 12/22/2014 10:34 AM, Bill Burke wrote:
>> A user is reporting that our Keycloak AuthMechanism is being called even
>> with unsecured resources. They have constraints defined in web.xml, but
>> if the constraint is unmatched (unsecure) the mechanism is still called.
>>
>> Why is the auth mechanism called for unsecure resources?
>>
>
> --
> Bill Burke
> JBoss, a division of Red Hat
> http://bill.burkecentral.com
> _______________________________________________
> undertow-dev mailing list
> undertow-dev at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/undertow-dev
More information about the undertow-dev
mailing list