filter as an authentication filter to this.
The filter gets a chance to bypass authentication for certain requests that would otherwise require it. Eg, it might check the message's path in some way that is too complicated to do via the other methods, or it might check the message's method, and allow GETs but not PUTs.
The filter function returns
true if the request should still require authentication, or
false if authentication is
unnecessary for this request.
To help prevent security holes, your filter should return
true by default, and only return
specifically-tested circumstances, rather than the other way around. Eg, in the example above, where you want to authenticate PUTs but not GETs,
you should check if the method is GET and return
false in that case, and then return
true for all other methods
(rather than returning
true for PUT and
false for all other methods). This way if it turned out (now or later) that
some paths supported additional methods besides GET and PUT, those methods would default to being NOT allowed for unauthenticated users.
the auth filter for this
destroy notifier to free
data to pass to