Hi Peter, Did you want to do this change? We should have a Jira issue somewhere to keep track of it...
- Les On Mon, Oct 19, 2009 at 4:41 PM, Les Hazlewood <[email protected]> wrote: > +1 > > Me too. Let's change the BasicHttpAuthenticationFilter to always > return a UsernamePasswordToken. > > On Mon, Oct 19, 2009 at 10:14 AM, Peter Ledbrook <[email protected]> > wrote: >>> The question for me is - is this the correct behavior? If we change >>> the behavior to allow null return values, and automatically show the >>> access denied page, the security subsystem (Realm and authentication >>> listeners, etc) would never be notified that an authentication attempt >>> was made. Is this ok? >> >> I prefer requiring a valid authentication token, particularly if the >> token is used with listeners, realms, or anything else. >> >> Peter >> >
