>>>>> Steinar Bang <sb-1rlz5cwd...@public.gmane.org>: > I'm using an OSGi Web Whiteboard component > > https://github.com/steinarb/oldalbum/blob/e8dbf374c6132694f0ad7c0d4026def355d5514e/oldalbum.web.api/src/main/java/no/priv/bang/oldalbum/web/api/OldAlbumWebApiServlet.java#L33
> that derives from JerseyServlet, which is written by me: > > https://github.com/steinarb/servlet/blob/9cce8e033e63a23585ddb868e5af5ec2a1ba9be0/servlet/servlet.jersey/src/main/java/no/priv/bang/servlet/jersey/JerseyServlet.java#L48 > which in turn derives from the Jersey ServletContainer class, and in the > init() method adds injected OSGi services to the HK2 dependency > injection container, so that they can be injected into JAX-RS resource > classes: > > https://github.com/steinarb/servlet/blob/9cce8e033e63a23585ddb868e5af5ec2a1ba9be0/servlet/servlet.jersey/src/main/java/no/priv/bang/servlet/jersey/JerseyServlet.java#L85 > I have written this myself and figured I had a pretty good handle on how > stuff is handled, but the JAX-RS Application and the > Application.getClasses() methods are new to me. Ok, I've got it working by adding the following method to OldAlbumWebApiServlet: @Override protected void init(WebConfig webConfig) throws ServletException { super.init(webConfig); var copyOfExistingConfig = new ResourceConfig(getConfiguration()); copyOfExistingConfig.register(ShiroFeature.class); reload(copyOfExistingConfig); } The org.glassfish.jersey.server.ResourceConfig class extends the javax.ws.rs.core.Application class. After this I got 401 from the Rest API endpoint after clearing cookies, and 200 OK when logged in. I'll summarize with a new post on the 2 year old thread "Shiro: possible to configure part of the unauthenticated URLs to return 401 instead 302?" when I've finished.