jpalitme is Akhn's version of HAPI FHIR. It is a fork of HAPI FHIR starter project.
In HAPI, authentication is achieved through interceptors. We do not implement any at the moment. We delegate the responsibility to authenticate users to nginx, using basic authentication. When external authentication is used (like nginx), the HAPI UI tester needs to be configured to authenticate its requests, this is implemented in src/main/java/ca/uhn/fhir/jpa/starter/FhirTesterConfig.java.
We had to implement permissions for the RESAH project. In HAPI, this can be done using the search narrowing interceptor. We defined our own (see src/main/java/ca/uhn/fhir/jpa/starter/interceptors/MySearchNarrowingInterceptor.java) which can be enabled using the use_narrowing_interceptor application property.