> The question for me is - is this the correct behavior? If we change > the behavior to allow null return values, and automatically show the > access denied page, the security subsystem (Realm and authentication > listeners, etc) would never be notified that an authentication attempt > was made. Is this ok?
I prefer requiring a valid authentication token, particularly if the token is used with listeners, realms, or anything else. Peter
