Hi Rémi,
You mean, that a client can authorize himself, but it is not required? I
think this is a good ideas. For browser applications I don't now, if
browsers could work with this.
The authentication should be reworked in the near future (I don't know
te current timetable for this). If your proposal is missing then, throw
it into the discussion again.
best regards
Stephan
Rémi Dewitte schrieb:
Hello all,
Let me make a suggestion about the Guard class.
It would allow the authorize method to make a decision even if no
authentication is present.
Why not adding an authorizeMissing attribute and change handling of
AUTHENTICATION_MISSING in doHandle method
from
challenge(response, false);
to
if(isAuthorizeMissing() && authorize(request)){
accept(request, response);
}else{
challenge(response, false);
}
Cheers,
Rémi
