Explain behaviour with XMLHttpRequest on 401 response

Relates to / Closes gh-16103
2025-06-12 07:02:13 +00:00 · 2024-12-13 12:35:06 +01:00 · 2024-12-13 12:35:06 +01:00 · 21fb5f92cf
commit 21fb5f92cf
parent 86599afd43
1 changed files with 9 additions and 0 deletions
--- a/docs/modules/ROOT/pages/servlet/authentication/passwords/basic.adoc
+++ b/docs/modules/ROOT/pages/servlet/authentication/passwords/basic.adoc
@ -22,6 +22,15 @@ image:{icondir}/number_3.png[] Since the user is not authenticated, xref:servlet
 The configured xref:servlet/authentication/architecture.adoc#servlet-authentication-authenticationentrypoint[`AuthenticationEntryPoint`] is an instance of javadoc:org.springframework.security.web.authentication.www.BasicAuthenticationEntryPoint[], which sends a WWW-Authenticate header.
 The `RequestCache` is typically a `NullRequestCache` that does not save the request since the client is capable of replaying the requests it originally requested.

+[NOTE]
+====
+The default HTTP Basic Auth Provider will suppress both Response body and `WWW-Authenticate` header in the 401 response when
+the request was made with a `X-Requested-By: XMLHttpRequest` header. This allows frontends to implement their own
+authentication code, instead of triggering the browser login dialog.
+To override, implement your own
+javadoc:org.springframework.security.web.authentication.www.BasicAuthenticationEntryPoint[] .
+====
+
 When a client receives the `WWW-Authenticate` header, it knows it should retry with a username and password.
 The following image shows the flow for the username and password being processed: