+1 Me too. Let's change the BasicHttpAuthenticationFilter to always return a UsernamePasswordToken.
On Mon, Oct 19, 2009 at 10:14 AM, Peter Ledbrook <[email protected]> wrote: >> The question for me is - is this the correct behavior? If we change >> the behavior to allow null return values, and automatically show the >> access denied page, the security subsystem (Realm and authentication >> listeners, etc) would never be notified that an authentication attempt >> was made. Is this ok? > > I prefer requiring a valid authentication token, particularly if the > token is used with listeners, realms, or anything else. > > Peter >
