Authorisation algorithm

These are the steps the PAS user folder follows in its validate method:

1. extract all credentials. This looks for any possible form of authentication information in a request: HTTP cookies, HTTP form parameters, HTTP authentication headers, originating IP address, etc. A request can have multiple (or no) sets of credentials.
2. for each set of credentials found:

1. try to authorise the credentials. This checks if the credentials correspond to a known user and are valid.
2. create a user instance
3. try to authorise the request. If successful, use this user and stop further processing.

1. create an anonymous user
2. try to authorise the request using the anonymous user. If successful use this, if not:
3. issue a challenge.