I am picking up an experiment from two years back: make the REST-API return 401 instead of 302 when the login goes away. https://www.mail-archive.com/dev@shiro.apache.org/msg06772.html
But I can't figure out how to use the shiro magic for JAX-RS in my setting: https://shiro.apache.org/jaxrs.html Where is the code that scans the annotations and creates 401 response? And how does it hook into e.g. Jersey? I am using Jersey with the OSGi web whiteboard (OSGi 8, in apache karaf 4.4.5) https://github.com/steinarb/oldalbum/blob/master/oldalbum.web.api/src/main/java/no/priv/bang/oldalbum/web/api/OldAlbumWebApiServlet.java#L33 Will e.g. adding ShiroFeature to Jersey's HK2 dependency injection framework do the trick? Rignt now what I've done is to use FormAuthenticationFilter with permissive option and have added @RequiresUsers and @RequiresRoles to a JAX-RS resource: https://github.com/steinarb/oldalbum/blob/master/oldalbum.web.api/src/main/java/no/priv/bang/oldalbum/web/api/resources/AlbumentryResource.java#L32 But the annotations have no effect that I can see: I get 200 OK even with all cookies cleared. Thanks! - Steinar