diff --git a/src/main/java/net/hostsharing/hsadminng/config/AuthenticationFilter.java b/src/main/java/net/hostsharing/hsadminng/config/AuthenticationFilter.java
index 1849b815..7a503b05 100644
--- a/src/main/java/net/hostsharing/hsadminng/config/AuthenticationFilter.java
+++ b/src/main/java/net/hostsharing/hsadminng/config/AuthenticationFilter.java
@@ -1,9 +1,6 @@
 package net.hostsharing.hsadminng.config;
 
-import jakarta.servlet.Filter;
 import jakarta.servlet.FilterChain;
-import jakarta.servlet.ServletRequest;
-import jakarta.servlet.ServletResponse;
 import jakarta.servlet.http.HttpServletRequest;
 import jakarta.servlet.http.HttpServletResponse;
 
@@ -11,29 +8,37 @@ import lombok.SneakyThrows;
 import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.security.authentication.BadCredentialsException;
 import org.springframework.stereotype.Component;
+import org.springframework.web.filter.OncePerRequestFilter;
+
 
 @Component
-public class AuthenticationFilter implements Filter {
+public class AuthenticationFilter extends OncePerRequestFilter {
 
     @Autowired
     private Authenticator authenticator;
 
     @Override
     @SneakyThrows
-    public void doFilter(final ServletRequest request, final ServletResponse response, final FilterChain chain) {
-        final var httpRequest = (HttpServletRequest) request;
-        final var httpResponse = (HttpServletResponse) response;
+    protected void doFilterInternal(
+            HttpServletRequest request, HttpServletResponse response, FilterChain filterChain) {
+
+        if ( !request.getRequestURI().startsWith("/api/") ) {
+            final var authenticatedRequest = new AuthenticatedHttpServletRequestWrapper(request);
+            authenticatedRequest.addHeader("current-subject", "nobody");
+            filterChain.doFilter(authenticatedRequest, response);
+            return;
+        }
 
         try {
-            final var currentSubject = authenticator.authenticate(httpRequest);
+            final var currentSubject = authenticator.authenticate(request);
 
-            final var authenticatedRequest = new AuthenticatedHttpServletRequestWrapper(httpRequest);
+            final var authenticatedRequest = new AuthenticatedHttpServletRequestWrapper(request);
             authenticatedRequest.addHeader("current-subject", currentSubject);
 
-            chain.doFilter(authenticatedRequest, response);
+            filterChain.doFilter(authenticatedRequest, response);
         } catch (final BadCredentialsException exc) {
-            // TODO.impl: should not be necessary if ResponseStatusException worked
-            httpResponse.setStatus(HttpServletResponse.SC_UNAUTHORIZED);
+            // TODO.impl: should not be necessary if ResponseStatusException worked - FIXME: try removing
+            response.setStatus(HttpServletResponse.SC_UNAUTHORIZED);
         }
     }
 }