The class javadoc for CookieAuthenticator says: When the credentials are missing or stale, the challenge(Response, boolean)<http://www.restlet.org/documentation/2.1/jee/ext/org/restlet/ext/crypto/CookieAuthenticator.html#challenge(org.restlet.Response, > boolean)> method is invoked by the parent class, and its default behavior > is to redirect the user's browser to the > getLoginFormPath()<http://www.restlet.org/documentation/2.1/jee/ext/org/restlet/ext/crypto/CookieAuthenticator.html#getLoginFormPath()> > URI, > adding the URI of the target resource as a query parameter of name > getRedirectQueryName()<http://www.restlet.org/documentation/2.1/jee/ext/org/restlet/ext/crypto/CookieAuthenticator.html#getRedirectQueryName()> > .
But the javadoc for CookieAuthenticator.challenge(Response, boolean) says it must be overridden to return a login form representation, and in fact the implementation of challenge(Response, boolean) is to call super.challenge(response, stale), in both stable and unstable versions. The supertype version (ChallengeAuthenticator.challenge) sets the status to unauthorized and creates a challenge request from the challenge scheme and puts it in the response. This fails because the HTTP_Cookie scheme is not meant to be used in this way. My question is whether the class comment is the intent, and the current implementation of CookieAuthenticator.challenge is incomplete, or if the class comment is out of date. If the latter is the case, then can someone give an example of how to override challenge? --tim ------------------------------------------------------ http://restlet.tigris.org/ds/viewMessage.do?dsForumId=4447&dsMessageId=3033005
