Request body parsing should happen after authentication & authorization validation

[mavarazy]

I'm doing some testing with unsigned requests, and basic auth configuration.
Sending simple POST / GET request fail on body parsing, before validation.
I think authentication must come before any other actions, it's not only beneficial from performance point of view, but also from security perspective.
Let's say I have an endpoint that accepts files, and I don't have authentication on this endpoint, I would still be able to POST files, and drawn server memory in trash data. Which might easily effect server performance.

[gakuzzzz]

Yes! I agree your opinion.
It should authorize before body parsing.

However, it so difficult in current ActionBuilder/BodyParser mechanism...
(If, the Action has no type parameter and has an abstract type member, it maybe be enabled...)
If we provide authorizationBodyParser, it loses the composability.

And the other hand, there is a motivation that it want to use HTTP body parameter at authorization.

I think it needs play2 changing that this problem is solved.
If you have a nice idea, please send a Pull Request. we welcome it.