The authentication process can be split into two phases - token extraction and user authentication. During the first phase (token extraction phase), the configured realms are requested to try and extract/resolve an authentication token from the incoming request. The first realm that finds an authentication token in the request "wins", meaning, the found authentication token will be used for authentication (moving to the second phase - user authentication - where each realm that support this authentication token type will try to authenticate the user).
In the event where no authentication token was resolved by any of the active realms, the incoming request is considered to be anonymous.
By default, anonymous requests are rejected and an authentication error is returned (status code
401). It is possible
to change this behaviour and instruct Shield to associate an default/anonymous user with the anonymous request. This can
be done by configuring the following settings in the
The username/principal of the anonymous user. This setting is optional and will be set to
The roles that will be associated with the anonymous user. This setting is mandatory - without it, anonymous access will be disabled (i.e. anonymous requests will be rejected and return an authentication error)