What I mean by "security interceptors" is the HTTP security interceptor doesn't kick in (no failures reported anywhere) and it's impossible to secure HTTP resources altogether.