diff --git a/profiles/killbill/src/main/java/org/killbill/billing/server/modules/KillBillShiroWebModule.java b/profiles/killbill/src/main/java/org/killbill/billing/server/modules/KillBillShiroWebModule.java
index 16ce62d..b8a7992 100644
--- a/profiles/killbill/src/main/java/org/killbill/billing/server/modules/KillBillShiroWebModule.java
+++ b/profiles/killbill/src/main/java/org/killbill/billing/server/modules/KillBillShiroWebModule.java
@@ -119,6 +119,7 @@ public class KillBillShiroWebModule extends ShiroWebModuleWith435 {
if (KillBillShiroModule.isRBACEnabled()) {
addFilterChain(JaxrsResource.PREFIX + "/**", Key.get(CorsBasicHttpAuthenticationFilter.class));
+ addFilterChain(JaxrsResource.PLUGINS_PATH + "/**", Key.get(CorsBasicHttpAuthenticationOptionalFilter.class));
}
}
@@ -140,7 +141,7 @@ public class KillBillShiroWebModule extends ShiroWebModuleWith435 {
bind(SessionDAO.class).toProvider(SessionDAOProvider.class).asEagerSingleton();
}
- public static final class CorsBasicHttpAuthenticationFilter extends BasicHttpAuthenticationFilter {
+ public static class CorsBasicHttpAuthenticationFilter extends BasicHttpAuthenticationFilter {
@Override
protected boolean isAccessAllowed(final ServletRequest request, final ServletResponse response, final Object mappedValue) {
@@ -152,6 +153,19 @@ public class KillBillShiroWebModule extends ShiroWebModuleWith435 {
}
}
+ public static final class CorsBasicHttpAuthenticationOptionalFilter extends CorsBasicHttpAuthenticationFilter {
+
+ protected boolean onAccessDenied(final ServletRequest request, final ServletResponse response) throws Exception {
+ if (isLoginAttempt(request, response)) {
+ // Attempt to log-in
+ executeLogin(request, response);
+ }
+
+ // Unlike the original method, we don't send a challenge on failure but simply allow the request to continue
+ return true;
+ }
+ }
+
private final class DefaultWebSecurityManagerTypeListener implements TypeListener {
@Override
