I posted a question a few days ago but got no response. I suspect that it was because I wasn't detailed enough. Anyway, here is a new attempt.
I'm using Shiro 1.2.1 in combination with Jersey running in Weblogic. I have developed a REST API that I need to access cross domain (using CORS) with basic authentication. The web browser sometimes need to send a preflight request using the HTTP method OPTIONS. Firefox requires that this request does not require authentication (see https://bugzilla.mozilla.org/show_bug.cgi?id=778548). So, using Shiro I need to require basic authentication for a certain URL unless the HTTP method is OPTIONS. How do I do that? I found the following discussion: http://www.mail-archive.com/[email protected]/msg00051.html I'm not sure what is actually implemented in Shiro 1.2.1. There seem to be two JIRA's regarding this: https://issues.apache.org/jira/browse/SHIRO-107 https://issues.apache.org/jira/browse/SHIRO-200 The first one is fixed in Shiro 1.0.0 but it looks like the result was the HttpMethodPermissionFilter. That won't help me since I want to exclude authentication alltogether if the HTTP method is OPTIONS. The second one seems more inline with my needs but it's not resolved yet. Can anyone clarify the status of this issue and perhaps suggest a workaround while the issue is being resolved? I think that this is really important. I imagine a lot of developers are using Shiro for their REST API's and also together with CORS which is now supported in all major (modern) browsers. /Bengt
