Hi all,
Perhaps something that I should have noticed earlier...
Currently, an optional authenticator sets the ClientInfo to be
authenticated whether or not the authentication was successful or took
place. This is due to beforeHandle and authenticated:
@Override
protected int beforeHandle(Request request, Response response) {
if (authenticate(request, response) || isOptional()) {
return authenticated(request, response);
}
return unauthenticated(request, response);
}
//... (in authenticated)
if (request.getClientInfo() != null) {
request.getClientInfo().setAuthenticated(true);
}
I think that's not the right thing to do. I don't know if this was
intentional or if it's a bug. In my opinion, an optional authenticator
should let the request through if the authentication fail, but treat the
user as anonymous in this case.
I think ClientInfo.getAuthenticated() could be used to distinguish
between anonymous users and users who've logged on/authenticated with an
optional authenticator, which this doesn't do.
If it's a bug, I'd suggest changing beforeHandle as follows:
@Override
protected int beforeHandle(Request request, Response response) {
if (authenticate(request, response)) {
return authenticated(request, response);
} else if (isOptional()) {
return CONTINUE;
} else {
return unauthenticated(request, response);
}
}
Any thoughts?
Best wishes,
Bruno.
------------------------------------------------------
http://restlet.tigris.org/ds/viewMessage.do?dsForumId=4447&dsMessageId=2643882
