Side note: shiro-jaxrs and RequiresPermissions annotations may be a way to accomplish what I want to do.
But what I really wanted was something simpler: avoid 302 redirects for the part of URL space used by ajax calls (since 302s are handled by the browser and never reach the ajax code waiting for a response). I'm completely OK with having access to the endpoint managed by the shiro filter. Returning 401 until the frontend logs a user in is completely OK. I don't need the fine grained permission control offered by shiro-jaxrs and @RequirePermissions. I just want to avoid 302 on the REST operations. Should I add a shiro feature request for this? (I imagine I'm not the only one wanting something
