Discussions in SRE-1250 have led to the following conclusions:

• pac4j needs to be aligned with Magnolia's security
  • for instance, in Magnolia default's security, a public instance allows anonymous access. pac4j is not aware of that
  • or if a Magnolia public website protects a member area, pac4j will not pick up on it. (This use case is not yet supported but will one day.)
• the way it is done now, pac4j matchers are created on a case-by-case basis to mimic Magnolia's security
• it should however be possible to dynamically resolve what security Magnolia would apply to a requested path, and to allow/disallow anonymous based on that

—

This ticket's initial intent was to make pac4j copy Magnolia's security in the 99% of URLs where pac4j doesn't need to be in front of Magnolia. However, only enabling pac4j on desired target URLs such as Admincentral solves the problem with a better approach, and less code on top of that.