Recently we encountered an issue where setting require-whisk-auth == false on a web action lead to the web action invocation being rejected (401). I opened this issue to cover it https://github.com/apache/openwhisk/issues/4985.
I think this is a bug/oversight in the implementation. Comments appreciated. -r
