Currently, authentication is performed after URL traversal has been completed.
The reason for this is to allow the rather unusual use case of forcing people to authenticate in the most specific user database. Someone could be defined and successfully authenticated in more than one database along URL paths and the most specific database would be used. The utility of this is questionable to say the least.
Delaying a authentication until URL traversal is finished prevents the use of protected resources during traversal. As applications become more sophisticated, complex computations may be performed to affect traversal. Sometimes, this computation requires access to protected resources.
Another problem with the current scheme is that objects are traversed which would not be accessible after a authentication is done. For example traversal that is disallowed in DTML would be allowed during current URL traversal.
It is proposed that authorization checks be performed during traversal and that if a user database is encountering traversal, an attempt will be made to authenticate to the user. The authentication will be performed prior to traversal. The latter is required to allow a protected folder to contain the user database that defines its users. Until a user has been authenticated only resources accessible to anonymous can be accessed.
It is theoretically possible that this change could break existing applications. This appears to be extremely unlikely however.