When defining a server connection in Atelier we are required to enter a username and password because these are mandatory fields in the dialog. However, if the /api/atelier web application definition on that server has only the "Unauthenticated" checkbox set in the section titled "Allowed Authentication Methods", then our Atelier connection will succeed even if we supply an invalid username and/or password.
The /api/atelier web application is configured that way (i.e. "Unauthenticated" only) when Minimal security is chosen during a fresh Caché / Ensemble / IRIS install. I haven't tested to see what the situation is after a server on a pre-Atelier version gets upgraded to a version that implements /api/atelier, but I wonder how the new web application's security is initially configured.
IMO, the way that Atelier requires credentials but may nevertheless connect as UnknownUser regardless (because the server's /api/atelier is configured not to accept any credentials) risks giving users a false sense of security about their server.