users@servlet-spec.java.net

[servlet-spec users] Re: Clarify / improve HttpServletRequest#authenticate?

From: Greg Wilkins <gregw_at_intalio.com>
Date: Thu, 4 Dec 2014 03:56:34 +1100

On 27 November 2014 at 23:50, arjan tijms <arjan.tijms_at_gmail.com> wrote:

> * A user agent pre-emptively sends credentials and the auth module
> that's invoked prior to the resource invocation can opt to process
> these
>

The way that jetty handles pre-emptively sent credentials for resources
that do not have authentication constraints, is that it does not process
them... but if an authentication method such as Request#getAuthType or
Request#getUserIdentity then the pre-emptively provided credentials are
processed at that point.

I had thought this was what was intended and that other containers acted
the same way?

If authenticate is called for such requests, then we only return false if a
response/challenge was sent (as the credentials may be incorrect).







-- 
Greg Wilkins <gregw_at_intalio.com>  @  Webtide - *an Intalio subsidiary*
http://eclipse.org/jetty HTTP, SPDY, Websocket server and client that scales
http://www.webtide.com  advice and support for jetty and cometd.