The PR #505 broke the semantics of authentication. /status and / are now requiring authentication when they did not in the past.
Also the integration test that checked that those endpoints do not require the authentication were removed, thus allowing the regression to happen.
Both the test and the filtering (in web.xml) should be fixed to allow /status and / without authentication. I'd say /static needs to be allowed as well, otherwise hawkular_logo.png can't be loaded.
Reported by Michael Burman