Just figured out if I do an API request, then "log out" of the open api UI which only removes the authorization header/bearer token, then requests still work I guess because I see a cookie with the JSESSIONID as part of the incoming request, but I don't see how that should work. Shiro is picking up the previous request's API key principal.
If I explicitly go to the logout url of my application then attempt the API call (via openapi UI) again, it fails with 401 as I would hope. Maybe this another area where I am fundamentally misunderstanding how things work. I have noSessionCreation filter for some of these URLs which I guess I assumed that each request would need to be authenticated to work since there's no session, then there should be nothing remembered between, but the Subject/principal still appears to be "logged in" after accessing the authcBearer URL which I don't want.
