It would also let the autorize() method to decide whether
AuthenticationMissing forbids the response or not.
For a resource, authorized clients might have more details for example.
Rémi
On Fri, Nov 14, 2008 at 21:17, Stephan Koops <[EMAIL PROTECTED]> wrote:
> Hi Rémi,
>
> You mean, that a client can authorize himself, but it is not required? I
> think this is a good ideas. For browser applications I don't now, if
> browsers could work with this.
>
> The authentication should be reworked in the near future (I don't know te
> current timetable for this). If your proposal is missing then, throw it into
> the discussion again.
>
> best regards
> Stephan
>
> Rémi Dewitte schrieb:
>
> Hello all,
>>
>> Let me make a suggestion about the Guard class.
>>
>> It would allow the authorize method to make a decision even if no
>> authentication is present.
>>
>> Why not adding an authorizeMissing attribute and change handling of
>> AUTHENTICATION_MISSING in doHandle method
>> from
>> challenge(response, false);
>> to
>> if(isAuthorizeMissing() && authorize(request)){
>> accept(request, response);
>> }else{
>> challenge(response, false);
>> }
>>
>> Cheers,
>> Rémi
>>
>
