A server generating a 401 (Unauthorized) response MUST send a WWW-Authenticate header field containing at least one challenge. A server MAY generate a WWW-Authenticate header field in other response messages to indicate that supplying credentials (or different credentials) might affect the response.
While the need for the header in successful responses is debatable, there's no doubt that the lack of it in 401 Unauthorized responses is a bug. Furthermore, this causes browsers to not ask the user for credentials.
Expected behavior
401 Unauthorized responses generated by BasicAuthenticationModule should have a WWW-Authentication header with the same value it currently has on 200 OK responses.
Bug description
BasicAuthenticationModuleadds aWWW-Authenticationheader to the response only if authentication and authorization are successful.According to RFC7235, Section 4.1 (emphasis mine):
While the need for the header in successful responses is debatable, there's no doubt that the lack of it in
401 Unauthorizedresponses is a bug. Furthermore, this causes browsers to not ask the user for credentials.Expected behavior
401 Unauthorizedresponses generated byBasicAuthenticationModuleshould have aWWW-Authenticationheader with the same value it currently has on200 OKresponses.