I've always thought that 401 "Not Authorized" was poorly chosen wording, because it really says the same thing as 403 "Forbidden". However, the requirement that a 401 status also MUST send a WWW-Authenticate header I think in practice has led 401 to really mean "Not Authenticated" and 403 to really mean "Not Authorized". Whereas in the description of 403 in rfc2616 section 10 explicitly states that "Authentication will not help", which implies that either no authentication is possible, the user is simply trying to do something the server doesn't want done, or it implies that the user is in fact authenticated, and the server is saying the authenticated user isn't authorized to do that.
So where does that leave us? I guess I think that the abstract implementation of Authenticator should not simply return 204 to the client if Authentication has been set to be required, and a concrete subclass has returned false in the authenticate() method. It is OK, because it does in fact stop the filter, but I think it could be a little bit easier on the programmer implementing the concrete subclass. Perhaps setting the status to 403 is more appropriate in this case. Anyway, I trust the restlet team's judgement here, but if you decide to keep the behavior as it is, then I encourage you to document clearly that the unauthenticated() method will also need to be overridden in subclasses in order to produce behavior that results in a 401 or 403 upon returning false from the authenticate() method. I would be happy to look at possible implementations of changing the default behavior if it is something the restlet team thinks would be worthwhile. The good news is that as far as my current project goes, I have custom subclasses of Authenticators and Authorizers working very well and I really like the new security architecture, I'm just trying to figure out if this particular aspect of the behavior is as simple as it could be. Thanks for your time, Matt ------------------------------------------------------ http://restlet.tigris.org/ds/viewMessage.do?dsForumId=4447&dsMessageId=2429029
