RequiresAuthenticationFilter: Doc/Impl wrong; empty clientName

[theomega]

On the spark-pa4j README, it is stated that you can leave away the clientName parameter on the RequiresAuthenticationFilter:

clientName (optional): the list of client names (separated by commas) used for authentication. If the user is not authenticated, direct clients are tried successively then if the user is still not authenticated and if the first client is an indirect one, this client is used to start the authentication. Otherwise, a 401 HTTP error is returned. If the client_name request parameter is provided, only the matching client is selected

This is not how it is implemented: If you leave the clientName empty, all requests are prevented. This is due to the condition in the DefaultClientFinder.find which is called from RequiresAuthenticationFilter which will return an empty client-list if no client-name is specified.

Could someone clarify if this is
a) A documentation bug
b) An implementation bug

I'm currently searching for the feature to require an authentication without explicitly specifying a client and haven't found it.

[leleuj]

Using the RequiresAuthenticationFilter means that you want to secure an url. The way the authentication is processed or started depends on the clientName parameter which is a list of client names separated by commas (or maybe just one) or an empty string. In this latest case, the url is just protected.

This must not be confused with tthe client_name parameter which is a request parameter and which allows you to select the client you want to use for authentication.

Let's have some examples:

before("/protected", new RequiresAuthenticationFilter(config, ""));: the /protected url is protected and you must be authenticated to access to it, if you are not authenticated, a 401 error is returned

before("/protected", new RequiresAuthenticationFilter(config, "CasClient"));: the /protected url is protected and you must be authenticated to access to it, if you are not authenticated, a login process with a CAS server is started

before("/protected", new RequiresAuthenticationFilter(config, "CasClient,FacebookClient"));: the /protected url is protected and you must be authenticated to access to it, if you are not authenticated, a login process with a CAS server is started. If you call /protected?client_name=FacebookClient and are not authenticated, a Facebook login is started.

Does it make things clearer? Can you point me out the part of the documentation which you find misleading?

[theomega]

Oki, that makes it clear, sorry, I was confused

[leleuj]

Not problem at all. Always feel free to submit pull requests to improve documentation.