Hi, Unless I'm missing something, I believe Guard.doHandle should be changed from:
public void doHandle(Request request, Response response) { switch (authenticate(request)) { case 1: // Valid credentials provided if (authorize(request)) { accept(request, response); } else { forbid(response); } break; case 0: // No credentials provided challenge(response); break; case -1: // Wrong credentials provided forbid(response); break; } } to: public void doHandle(Request request, Response response) { switch (authenticate(request)) { case 1: // Valid credentials provided accept(request, response); break; case 0: // No credentials provided challenge(response); break; case -1: // Wrong credentials provided forbid(response); break; } } Otherwise, authenticate ends up being called twice (once in the switch statement) and once by authorize() in the case statement. -Vincent.