A server generating a 401 (Unauthorized) response MUST send a WWW-Authenticate header field containing at least one challenge. A server MAY generate a WWW-Authenticate header field in other response messages to indicate that supplying credentials (or different credentials) might affect the response.
While the need for the header in successful responses is debatable, there's no doubt that the lack of it in 401 Unauthorized responses is a bug. Furthermore, this causes browsers to not ask the user for credentials.
Expected behavior
401 Unauthorized responses generated by BasicAuthenticationModule should have a WWW-Authentication header with the same value it currently has on 200 OK responses.
Bug description
BasicAuthenticationModule
adds aWWW-Authentication
header to the response only if authentication and authorization are successful.According to RFC7235, Section 4.1 (emphasis mine):
While the need for the header in successful responses is debatable, there's no doubt that the lack of it in
401 Unauthorized
responses is a bug. Furthermore, this causes browsers to not ask the user for credentials.Expected behavior
401 Unauthorized
responses generated byBasicAuthenticationModule
should have aWWW-Authentication
header with the same value it currently has on200 OK
responses.