verify(filterChain).doFilter(request, response);
        verify(response, never()).setStatus(HttpServletResponse.SC_UNAUTHORIZED);
    }

    @Test
    void testDoFilter_sessionWithoutAuth_shouldChallenge() throws Exception {
        // Initialize filter first
        initializeFilter();

        // Test that having a session but no auth still challenges