private boolean shouldAuthorize() { if (PKIAuthenticationPlugin.PATH.equals(path)) return false; // admin/info/key is the path where public key is exposed . it is always unsecured if (cores.getPkiAuthenticationPlugin() != null && req.getUserPrincipal() != null) { boolean b = cores.getPkiAuthenticationPlugin().needsAuthorization(req); log.debug("PkiAuthenticationPlugin says authorization required : {} ", b); return b; } return true; }