Details
-
Bug
-
Resolution: Unresolved
-
Major
-
None
-
11.10.2
-
None
-
Unknown
-
Description
I noticed the following behaviour while working on a new Resource Handler with the Authenticate annotation.
It appears that using wrong credentials in HTTP authorization headers doesn't prevent the resource handler to be executed.
Basically I would have expected to get immediately a 401 Unauthorized in case of wrong credentials, without entering in the resource handler.
Now it might be discussed what should be done in case no headers or cookie are provided to a Resource handler with Authenticate annotation, but I guess the javadoc should be clarified since right now it specifies
Indicate that a {@link org.xwiki.resource.ResourceReferenceHandler} should be executed in an authenticated context.