At the moment, it is necessary to have the anonymous filter explicitly configured for an url.
There is no annotation for marking publicly available methods.
This way, it is not possible to do an annotation-only configuration of methods. The optimal solution would be that everything is filtered through an auth filter, but methods annotated with (at)Anonymous for example do not lead to a redirection to the login url.
This makes sense in cases where you want to have a default config set in a base artifact integrating Shiro and applications using that artifact should be enabled to do the actual configuration of which methods are accessible for anonymous users.
RequiresGuest is not sufficient, as it will deny access to authenticated users.
The lack of this feature makes it very hard to incorporate Shiro into a web framework providing a sane default configuration (filter everything through authc/authc_basic) and still let the user decide where to make exemptions.