Currently, the only way to avoid the filter to challenge clients is by specifying which HTTP methods should not be protected by using the "unprotectedMethods" init param.

Some use cases require some custom logic, based on the current request, to decide whether a resource is protected or not.