Allow authenticator's unauthenticated() method to return response.

src/Controller/Component/Auth/BaseAuthenticate.php

@@ -201,9 +201,12 @@ public function getUser(Request $request) {
 	}
 
 /**
- * Handle unauthenticated access attempt. In implementation, will return true to indicate
- * the unauthenticated request has been dealt with and no more action is required by
- * AuthComponent or void (default).
+ * Handle unauthenticated access attempt. In implementation valid return values
+ * can be:
+ *
+ * - Null - No action taken, AuthComponent should return appropriate response.
+ * - Cake\Network\Response - A response object, which will cause AuthComponent to
+ *   simply return that response.
  *
  * @param \Cake\Network\Request $request A request object.
  * @param \Cake\Network\Response $response A response object.

src/Controller/Component/AuthComponent.php

@@ -299,8 +299,9 @@ protected function _unauthenticated(Controller $controller) {
 			$this->constructAuthenticate();
 		}
 		$auth = $this->_authenticateObjects[count($this->_authenticateObjects) - 1];
-		if ($auth->unauthenticated($this->request, $this->response)) {
-			return false;
+		$result = $auth->unauthenticated($this->request, $this->response);
+		if ($result !== null) {
+			return $result;
 		}
 
 		if ($this->_isLoginAction($controller)) {