See https://issues.apache.org/jira/browse/DISPATCH-1039.

If I have a listener with http=true and authenticatePeer=true, the router will require client certificates. This is not always desired. It is also often not sufficient, since EXTERNAL is not yet supported for websocket connections (see DISPATCH-1040) and the clients identity is therefore not available for any policy enforcement.