For reference: https://issues.apache.org/jira/browse/SHIRO-283
I wonder if there is a way for us to do this in a cleaner way. I'm not sure that the 'permissive' flag, while a good initial solution, is ideal. That is, to me, the AuthenticationFilter makes a _guarantee_ that the request won't go through unless 1) the subject is already authenticated or 2) the current request is an authentication-related request. Unless I'm missing something, the 'permissive' flag eliminates this guarantee. I wonder if it'd be better for us to create a composite Filter that does the necessary logic to retain the guarantee. Perhaps it is even as simple as OO composition where we can use the FormAuthenticationFilter and the BasicAuthenticationFilter internally to offload work (not sure - haven't thought about that much yet). Thoughts? Les
