I'm using Apache Shiro in Karaf 4.0.7. Not sure if the problem I have is a Karaf related problem or just a Pax-Web related problem so I post in both foras.

Here is an extract of my Shiro ini file:

/api/getCurrentUser = anon
/login = authc
/logout = logout
/admin/** = authc

The intention is that the first url (that is associated with "anon") should be allowed to access without a user being authenticated.

When I deploy my application in Karaf, an HTTP status code 401 is returned and basic authentication is triggered in the browser. If I enter user=password=karaf then I get through.

Does anyone have any idea why this happens? Is it so that if the url is not stopped by Shiro then it continues to a filter that Karaf/Pax-Web has set up that requires basic authentication?

How can I get around this?