AuthenticationRequired should not be thrown in PolicyEnforcement if resource is available to Everybody
In case you define a (method) resource (in my case with runtime argument condition) and you GRANT access to this resource for the "Everybody" role you will still end up with an AuthenticationRequiredException (or if defined a redirect to the WebRedirect) because the AuthenticationManager will throw that on not logged in BEFORE the AccessDecisionManager checks the actual permissions for the resource.
To fix this we need to temporarily catch the exception when there were no tokens to be authenticated and check permissions on the AccessDecisionManager. If this then throws an AccessDeniedException we know the resource was inaccessible for not logged in user (at least with the current runtime evaluation) and we should probably trigger a redirect to the WebRedirect. In case the AccessDecisionManager granted access to the resource we can proceed as obviously the resource was meant to be available without login.