>>>>> Brian Demers <brian.demers-re5jqeeqqe8avxtiumw...@public.gmane.org>:
> That should work, keep us posted! Ok, 2 years, 8 weeks, and 5 days has passed, but now I finally got around to it, and I can report it worked perfectly: 1. User with the required role is logged in: a POST to the API gets 200 OK 2. User withot the required role is logged in: a POST to the API gets 403 FORBIDDEN 3. Not logged in: a POST to the API gets 401 UNAUTHORIZED Not a 302 FOUND in sight! :-) Both the 401 and 403 responses are handled as errors by axios, so the following redux saga fires off a SAVE_MODIFIED_PICTURE_FAILURE instead of a SAVE_MODIFIED_PICTURE_RECEIVED https://github.com/steinarb/oldalbum/blob/feb8a3e9d8125be012b5c76db36e907807f841a7/oldalbum.web.frontend/src/main/frontend/src/sagas/modifyPictureSaga.js#L18 (my problem with 302 was that the 302 redirected to the login page and the HTML login page was returned with a 200 OK, but didn't parse well as JSON, so that a SAVE_MODIFIED_PICTURE_RECEIVED with an empty data blanked out existing values). What I did, was: 1. Add a maven dependency to shiro-jaxrs https://github.com/steinarb/oldalbum/blob/feb8a3e9d8125be012b5c76db36e907807f841a7/pom.xml#L52 https://github.com/steinarb/oldalbum/blob/feb8a3e9d8125be012b5c76db36e907807f841a7/oldalbum.web.api/pom.xml#L75 (scope compile causes it to be added to the bundle's auto-generated, attached, feature repository, so that the bundle will be loaded at runtime in karaf) 2. Override the init() method of the Jersey ServletContainer base class of the servlet, to do the same thing as the Application here: https://shiro.apache.org/jaxrs.html#example (the org.glassfish.jersey.server.ResourceConfig class extends javax.ws.rs.core.Application) https://github.com/steinarb/oldalbum/blob/feb8a3e9d8125be012b5c76db36e907807f841a7/oldalbum.web.api/src/main/java/no/priv/bang/oldalbum/web/api/OldAlbumWebApiServlet.java#L44 3. Add a @RequiresUser and a @RequiresRoles annotation to the top of the JAX-RS resource that needs autentication (the resource handling the REST endpoints that does modification of the database) https://github.com/steinarb/oldalbum/blob/feb8a3e9d8125be012b5c76db36e907807f841a7/oldalbum.web.api/src/main/java/no/priv/bang/oldalbum/web/api/resources/AlbumentryResource.java#L37 4. Use anon for all of the REST API in the shiro.ini https://github.com/steinarb/oldalbum/commit/feb8a3e9d8125be012b5c76db36e907807f841a7 Thanks for the pointers, Brian! And sorry for the late feedback, but better late than never! :-)