diff --git a/pac4j-module/src/main/java/net/unicon/shibui/pac4j/AddNewUserFilter.java b/pac4j-module/src/main/java/net/unicon/shibui/pac4j/AddNewUserFilter.java
index a6a75fac1..581cde47e 100644
--- a/pac4j-module/src/main/java/net/unicon/shibui/pac4j/AddNewUserFilter.java
+++ b/pac4j-module/src/main/java/net/unicon/shibui/pac4j/AddNewUserFilter.java
@@ -64,19 +64,21 @@ public void doFilter(ServletRequest request, ServletResponse response, FilterCha
                     user = persistedUser.get();
                 }
                 if (user.getRole().equals(ROLE_NONE)) {
-//                    throw new AccessDeniedException("DENIED!");
-                    response.setContentType(ContentType.APPLICATION_JSON.getMimeType());
+                    throw new AccessDeniedException("DENIED!");
+/*                    response.setContentType(ContentType.APPLICATION_JSON.getMimeType());
                     ((HttpServletResponse) response).setStatus(HttpStatus.FORBIDDEN.value());
                     response.getOutputStream().write(getJsonResponseBytes(
                             new ErrorResponse(String.valueOf(HttpStatus.FORBIDDEN.value()),
                                     "Your account is not yet authorized to access ShibUI.")));
                     ((HttpServletResponse) response).sendRedirect("/static.html");
-                    return;
-                } // else, user is in the system already, carry on
+//                    return;*/
+                } else {
+                    chain.doFilter(request, response);// else, user is in the system already, carry on
+                }
             }
         }
 
-        chain.doFilter(request, response);
+//        chain.doFilter(request, response);
     }
 
     @Override
diff --git a/pac4j-module/src/main/java/net/unicon/shibui/pac4j/WebSecurity.java b/pac4j-module/src/main/java/net/unicon/shibui/pac4j/WebSecurity.java
index 30bdc22d6..18fee29a7 100644
--- a/pac4j-module/src/main/java/net/unicon/shibui/pac4j/WebSecurity.java
+++ b/pac4j-module/src/main/java/net/unicon/shibui/pac4j/WebSecurity.java
@@ -3,6 +3,7 @@
 import edu.internet2.tier.shibboleth.admin.ui.security.repository.RoleRepository;
 import edu.internet2.tier.shibboleth.admin.ui.security.repository.UserRepository;
 import org.pac4j.core.config.Config;
+import org.pac4j.core.context.HttpConstants;
 import org.pac4j.springframework.security.web.CallbackFilter;
 import org.pac4j.springframework.security.web.SecurityFilter;
 import org.springframework.boot.autoconfigure.AutoConfigureOrder;
@@ -17,6 +18,7 @@
 import org.springframework.security.web.access.ExceptionTranslationFilter;
 import org.springframework.security.web.authentication.www.BasicAuthenticationFilter;
 import org.springframework.security.web.firewall.StrictHttpFirewall;
+import org.springframework.web.bind.annotation.ExceptionHandler;
 
 @Configuration
 @AutoConfigureOrder(-1)
@@ -27,6 +29,7 @@ public WebSecurityConfigurerAdapter webSecurityConfigurerAdapter(final Config co
     }
 
     @Bean
+    @ExceptionHandler
     public static AccessDeniedHandler accessDeniedHandler() {
         return new net.unicon.shibui.pac4j.AccessDeniedHandler();
     }
@@ -62,18 +65,26 @@ public Pac4jWebSecurityConfigurerAdapter(final Config config, UserRepository use
 
         @Override
         protected void configure(HttpSecurity http) throws Exception {
+            http.authorizeRequests().antMatchers("/static.html").permitAll();
+
             final SecurityFilter securityFilter = new SecurityFilter(this.config, "Saml2Client");
 
             final CallbackFilter callbackFilter = new CallbackFilter(this.config);
             // http.regexMatcher("/callback").addFilterBefore(callbackFilter, BasicAuthenticationFilter.class);
-            http.antMatcher("/**").addFilterBefore(callbackFilter, BasicAuthenticationFilter.class);
+            http.antMatcher("/**").addFilterBefore(callbackFilter, BasicAuthenticationFilter.class)
+                    .addFilterBefore(securityFilter, BasicAuthenticationFilter.class)
+                    .addFilterAfter(new AddNewUserFilter(userRepository, roleRepository), SecurityFilter.class)
+                    .addFilterAfter(exceptionTranslationFilter(accessDeniedHandler()), ExceptionTranslationFilter.class)
+                    .exceptionHandling().accessDeniedHandler(accessDeniedHandler());
             http.authorizeRequests().anyRequest().fullyAuthenticated();
 
-            http.addFilterBefore(securityFilter, BasicAuthenticationFilter.class);
+//            http.addFilterBefore(securityFilter, BasicAuthenticationFilter.class);
+
+//            http.addFilterAfter(new AddNewUserFilter(userRepository, roleRepository), SecurityFilter.class)
+//                    .exceptionHandling().accessDeniedHandler(accessDeniedHandler());
+
 
-            http.addFilterAfter(new AddNewUserFilter(userRepository, roleRepository), SecurityFilter.class);
 /*
-                    .exceptionHandling().accessDeniedHandler(accessDeniedHandler());
             http.addFilterAfter(exceptionTranslationFilter(accessDeniedHandler()), ExceptionTranslationFilter.class);
 */
 /*
@@ -94,6 +105,8 @@ protected void configure(HttpSecurity http) throws Exception {
         public void configure(org.springframework.security.config.annotation.web.builders.WebSecurity web) throws Exception {
             super.configure(web);
 
+//            web.ignoring().antMatchers("/static.html");
+
             StrictHttpFirewall firewall = new StrictHttpFirewall();
             firewall.setAllowUrlEncodedSlash(true);
             web.httpFirewall(firewall);