>>>>> Brian Demers <brian.demers-re5jqeeqqe8avxtiumw...@public.gmane.org>:
> You can also use `@RequireRoles("myapprole")` annotation instead of > the permission one. > I think the problem you might be running into is the > `PassThruAuthenticationFilter` doesn't have a "permissive" option, so > it's likely redirecting on that fitler. Ok. I can't remember why I'm using that one, but it is the one that had the behaviour I desired once upon a time... ah! The comment says why: // Using the PassThruAuthenticationFilter instead of the default authc FormAuthenticationFilter // to be able to do a redirect back "out of" authservice to the originalUrl It's because of my usage of shiro to something other than authentication inside of a java webapp. I use it to provide cookie authentication to nginx and across multiple web applications. > To work around this, you could use the form auth filter, or create > your own filter that instead of redirecting returns a 401 > https://github.com/apache/shiro/blob/0c0d9da2d81a4b24de6e02bc1c8a2ad1b5ef32d7/web/src/main/java/org/apache/shiro/web/filter/authc/PassThruAuthenticationFilter.java#L49-L56 > Bind your new fitler to `/api/**` > Does that help? Yes, I think so, thanks! But it will require some thought and experimentation... But since I won't do redirects on the /api/* paths, there is no need for the PassThruAuthentication behaviour here, so I could use the regular authc filter for this path.