I'm using Shiro to protect my server. I'm making CORS requests to the server, which causes an OPTIONS call to be made before my method call. Because my user isn't authenticated yet, the OPTIONS call gets a 401 code returned and my method call is never made.
I can't use HttpMethodPermissionFilter as that deals solely with permissions and requires a logged in user. I've tried writing my own filter to recognize the OPTIONS call and allow it to pass unauthenticated, but the filter chain always continues to my authentication filter and fails there with the 401 response. How do I stop the chain from continuing or tell the authentication filter that it's okay to allow an unauthenticated user access? Thanks.
