Make 404 instead of 401 configurable for Page Resolver

[rymsha]

404 makes sense for public sites without login, where certain content is unreachable, and id provider can't hint how to reach it. 404 is a security measure - to hide even a fact the such content exists. 401/403 makes sense for intranet where it is handy to show authentication for content that exists, but secured.

We could make the logic configurable via vhost.

[sigdestad]

My suggestion is that idprovider could be configured in "active" mode, vs "passive" mode on a per vhost config. The basic idea is that active mode will trigger 401 on any path within the vhost, where as passive is the standard mode, where idprovider is only triggered when application/site returns 401.

Maybe having ability to provide a path filter would also make sense - i.e. './' or './secret-stuff' if you only want a part of the site/app to be protected.

[sigdestad]

Maybe call this "force authentication" instead?