diff --git a/build.sbt b/build.sbt
index 7b9e7ea..fc26036 100644
--- a/build.sbt
+++ b/build.sbt
@@ -25,6 +25,7 @@
       ("Gerrit-ApiType", "plugin"),
       ("Gerrit-PluginName", pluginName),
       ("Gerrit-Module", "com.googlesource.gerrit.plugins.analytics.wizard.Module"),
+      ("Gerrit-HttpModule", "com.googlesource.gerrit.plugins.analytics.wizard.HttpModule"),
       ("Implementation-Title", "Analytics plugin wizard")
     )
   )
diff --git a/src/main/scala/com/googlesource/gerrit/plugins/analytics/wizard/HttpModule.scala b/src/main/scala/com/googlesource/gerrit/plugins/analytics/wizard/HttpModule.scala
new file mode 100644
index 0000000..b2ab5a9
--- /dev/null
+++ b/src/main/scala/com/googlesource/gerrit/plugins/analytics/wizard/HttpModule.scala
@@ -0,0 +1,26 @@
+// Copyright (C) 2018 The Android Open Source Project
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+// http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package com.googlesource.gerrit.plugins.analytics.wizard
+
+import com.google.gerrit.extensions.registration.DynamicSet
+import com.google.gerrit.httpd.AllRequestFilter
+import com.google.inject.servlet.ServletModule
+
+class HttpModule extends ServletModule {
+
+  override def configureServlets() {
+    DynamicSet.bind(binder(), classOf[AllRequestFilter]).to(classOf[XAuthFilter])
+  }
+}
diff --git a/src/main/scala/com/googlesource/gerrit/plugins/analytics/wizard/Module.scala b/src/main/scala/com/googlesource/gerrit/plugins/analytics/wizard/Module.scala
index 36d21dd..9c77724 100644
--- a/src/main/scala/com/googlesource/gerrit/plugins/analytics/wizard/Module.scala
+++ b/src/main/scala/com/googlesource/gerrit/plugins/analytics/wizard/Module.scala
@@ -1,4 +1,4 @@
-// Copyright (C) 2017 The Android Open Source Project
+// Copyright (C) 2018 The Android Open Source Project
 //
 // Licensed under the Apache License, Version 2.0 (the "License");
 // you may not use this file except in compliance with the License.
@@ -13,7 +13,9 @@
 // limitations under the License.
 package com.googlesource.gerrit.plugins.analytics.wizard
 
+import com.google.gerrit.extensions.registration.DynamicSet
 import com.google.gerrit.extensions.restapi.RestApiModule
+import com.google.gerrit.httpd.AllRequestFilter
 import com.google.gerrit.server.project.ProjectResource.PROJECT_KIND
 import com.google.inject.AbstractModule
 
diff --git a/src/main/scala/com/googlesource/gerrit/plugins/analytics/wizard/XAuthFilter.scala b/src/main/scala/com/googlesource/gerrit/plugins/analytics/wizard/XAuthFilter.scala
new file mode 100644
index 0000000..d940da7
--- /dev/null
+++ b/src/main/scala/com/googlesource/gerrit/plugins/analytics/wizard/XAuthFilter.scala
@@ -0,0 +1,48 @@
+// Copyright (C) 2018 The Android Open Source Project
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+// http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package com.googlesource.gerrit.plugins.analytics.wizard
+
+import javax.servlet._
+import javax.servlet.http.HttpServletRequest
+
+import com.google.gerrit.extensions.annotations.PluginName
+import com.google.gerrit.extensions.registration.DynamicItem
+import com.google.gerrit.httpd.{AllRequestFilter, WebSession}
+import com.google.gerrit.server.AccessPath
+import com.google.inject.{Inject, Singleton}
+import org.slf4j.{Logger, LoggerFactory}
+
+@Singleton
+class XAuthFilter @Inject()(val webSession: DynamicItem[WebSession], @PluginName pluginName: String) extends AllRequestFilter {
+  implicit val log: Logger = LoggerFactory.getLogger(classOf[XAuthFilter])
+  val authenticatedPluginURIs = (s".*/a/.*$pluginName.*").r
+
+  override def init(filterConfig: FilterConfig) {}
+
+  override def destroy() {}
+
+  override def doFilter(req: ServletRequest, resp: ServletResponse, chain: FilterChain) {
+    val uri = req.asInstanceOf[HttpServletRequest].getRequestURI
+    authenticatedPluginURIs.findFirstIn(uri).foreach { _ =>
+      val session = webSession.get
+      if (session != null && session.isSignedIn && session.getXGerritAuth != null) {
+        session.setAccessPathOk(AccessPath.REST_API, true)
+        log.debug(s"Set URI $uri as authenticated REST-API access path")
+      }
+    }
+
+    chain.doFilter(req, resp)
+  }
+}
\ No newline at end of file