You can also use `@RequireRoles("myapprole")` annotation instead of
the permission one.I think the problem you might be running into is the `PassThruAuthenticationFilter` doesn't have a "permissive" option, so it's likely redirecting on that fitler. To work around this, you could use the form auth filter, or create your own filter that instead of redirecting returns a 401 https://github.com/apache/shiro/blob/0c0d9da2d81a4b24de6e02bc1c8a2ad1b5ef32d7/web/src/main/java/org/apache/shiro/web/filter/authc/PassThruAuthenticationFilter.java#L49-L56 Bind your new fitler to `/api/**` Does that help? On Tue, Dec 7, 2021 at 2:14 PM Steinar Bang <s...@dod.no> wrote: > > Side note: shiro-jaxrs and RequiresPermissions annotations may be a way > to accomplish what I want to do. > > But what I really wanted was something simpler: avoid 302 redirects for > the part of URL space used by ajax calls (since 302s are handled by the > browser and never reach the ajax code waiting for a response). > > I'm completely OK with having access to the endpoint managed by the > shiro filter. Returning 401 until the frontend logs a user in is > completely OK. I don't need the fine grained permission control offered > by shiro-jaxrs and @RequirePermissions. I just want to avoid 302 on the > REST operations. > > Should I add a shiro feature request for this? (I imagine I'm not the > only one wanting something
