When running with authentication enabled for both API-A and API-M, the target of /fedora/wsdl is also authenticated even though this target is supposed to remain public.
This appears to be a bug in the Fedora installer script as it builds the web.xml file when configured with authentication enabled for API-A. The installer is including the WSDLServlet in the EnforceAuthnFilter mapping when it should not. An interim fix is to manually edit the generated fedora web.xml file and remove or comment out the following lines:
Doing so should eliminate the authentication challenge for obtaining wsdl through the /fedora/wsdl target.