I've been having continuous problems with guards returning 403 responses
for wrong passwords. Many clients (e.g. Firefox) do not handle the 403 properly
without a challenge.
I wonder if the default response for a wrong password should include a
challenge?
Maybe the forbid() method of Guard class could differentiate between an
unauthorized request (e.g. authenticated by authorize() returned false) and
an non-authenticated request where the credentials do no match.
A simple flag on the forbid method would suffice:
public void forbid(Response response, boolean authenticated) { ... }
and that way someone like myself could override the forbid method on a Guard
instance to add a challenge.
This would fix the problem where Firefox et. al. remember the bad password
and require that I "clear passwords" before I get the challenge again.
--Alex Milowski
