diff --git a/src/main/java/net/hostsharing/hsadminng/config/AuthenticationFilter.java b/src/main/java/net/hostsharing/hsadminng/config/AuthenticationFilter.java
index 7a503b05..fb080f87 100644
--- a/src/main/java/net/hostsharing/hsadminng/config/AuthenticationFilter.java
+++ b/src/main/java/net/hostsharing/hsadminng/config/AuthenticationFilter.java
@@ -8,12 +8,19 @@ import lombok.SneakyThrows;
 import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.security.authentication.BadCredentialsException;
 import org.springframework.stereotype.Component;
+import org.springframework.util.AntPathMatcher;
 import org.springframework.web.filter.OncePerRequestFilter;
 
 
+import static java.util.Arrays.stream;
+import static net.hostsharing.hsadminng.config.WebSecurityConfig.AUTHENTICATED_PATHS;
+import static net.hostsharing.hsadminng.config.WebSecurityConfig.PERMITTED_PATHS;
+
 @Component
 public class AuthenticationFilter extends OncePerRequestFilter {
 
+    private static final AntPathMatcher PATH_MATCHER = new AntPathMatcher();
+
     @Autowired
     private Authenticator authenticator;
 
@@ -22,22 +29,23 @@ public class AuthenticationFilter extends OncePerRequestFilter {
     protected void doFilterInternal(
             HttpServletRequest request, HttpServletResponse response, FilterChain filterChain) {
 
-        if ( !request.getRequestURI().startsWith("/api/") ) {
-            final var authenticatedRequest = new AuthenticatedHttpServletRequestWrapper(request);
+        final var authenticatedRequest = new AuthenticatedHttpServletRequestWrapper(request);
+
+        // TODO.impl: Make request matchers work via Spring Security, maybe use Spring Security CAS support directly?
+
+        if (stream(PERMITTED_PATHS).anyMatch(path -> PATH_MATCHER.match(path, request.getRequestURI()))) {
             authenticatedRequest.addHeader("current-subject", "nobody");
             filterChain.doFilter(authenticatedRequest, response);
-            return;
-        }
-
-        try {
-            final var currentSubject = authenticator.authenticate(request);
-
-            final var authenticatedRequest = new AuthenticatedHttpServletRequestWrapper(request);
-            authenticatedRequest.addHeader("current-subject", currentSubject);
-
-            filterChain.doFilter(authenticatedRequest, response);
-        } catch (final BadCredentialsException exc) {
-            // TODO.impl: should not be necessary if ResponseStatusException worked - FIXME: try removing
+        } else if (stream(AUTHENTICATED_PATHS).anyMatch(path -> PATH_MATCHER.match(path, request.getRequestURI()))) {
+            try {
+                final var currentSubject = authenticator.authenticate(request);
+                authenticatedRequest.addHeader("current-subject", currentSubject);
+                filterChain.doFilter(authenticatedRequest, response);
+            } catch (final BadCredentialsException exc) {
+                // TODO.impl: should not be necessary if ResponseStatusException worked - FIXME: try removing
+                response.setStatus(HttpServletResponse.SC_UNAUTHORIZED);
+            }
+        } else {
             response.setStatus(HttpServletResponse.SC_UNAUTHORIZED);
         }
     }
diff --git a/src/main/java/net/hostsharing/hsadminng/config/WebSecurityConfig.java b/src/main/java/net/hostsharing/hsadminng/config/WebSecurityConfig.java
index aec107b4..a5e4344c 100644
--- a/src/main/java/net/hostsharing/hsadminng/config/WebSecurityConfig.java
+++ b/src/main/java/net/hostsharing/hsadminng/config/WebSecurityConfig.java
@@ -8,23 +8,24 @@ import org.springframework.security.config.annotation.web.configuration.EnableWe
 import org.springframework.security.config.annotation.web.configurers.AbstractHttpConfigurer;
 import org.springframework.security.web.SecurityFilterChain;
 
+
 @Configuration
 @EnableWebSecurity
 public class WebSecurityConfig {
 
+    public static final String[] PERMITTED_PATHS = new String[]{"/swagger-ui/**", "/v3/api-docs/**", "/actuator/**"};
+    public static final String[] AUTHENTICATED_PATHS = new String[]{"/api/**"};
+
     @Bean
     @Profile("!test")
     public SecurityFilterChain securityFilterChain(final HttpSecurity http) throws Exception {
         return http
                 .authorizeHttpRequests(authorize -> authorize
                         // TODO.impl: implement CAS authentication via Spring Security
+                        // .requestMatchers(PERMITTED_PATHS).permitAll()
+                        // .requestMatchers(AUTHENTICATED_PATHS).authenticated()
+                        // .anyRequest().denyAll()
                         .anyRequest().permitAll()
-                        // .requestMatchers("/swagger-ui/**").permitAll()
-                        // .requestMatchers("/v3/api-docs/**").permitAll()
-                        // .requestMatchers("/actuator/**").permitAll()
-                        // .requestMatchers("/api/ping").permitAll()
-                        // .requestMatchers("/api/**").authenticated()
-                        //.anyRequest().denyAll()
                 )
                 .csrf(AbstractHttpConfigurer::disable)
                 .build();