Ticket #2460 enhancement closed fixed
HTTPAuthResource doesn't provide any way to support anonymous access.
|Reported by:||dreid||Owned by:|
I think in the absence of an Authorization header portal.login should be called with twisted.cred.credentials.Anonymous, in the case where anonymous access is not allowed (i.e. no checker registered for the IAnonymous credentials interface) portal.login will errback and an unauthorized response will be sent. Otherwise requestAvatar on the realm will be called normally.
This will also require a mechanism for resources below the HTTPAuthResource to trigger authentication at anypoint when the Anonymous credentials prove insufficient. This could be a method on the IAuthenticatedRequest, perhaps IAuthenticatedRequest.reauthenticate()