Today I bumped into one problem that resources protected by shiro won’t be accessable for CORS requests, even with correct authentication headers.
For CORS requests, the OPTIONS pre-flight request will be regarded as unauthenticated by Apache Shiro since the browser won’t add custom headers to the OPTIONS request. In my case, the OPTIONS request returned 302, attempting to redirect to the login page.
To solve this problem. I overrode the AuthenticatingFilter‘s isAccessAllowed method to make it always return true when the request’s method is OPTIONS.