Explain behaviour with XMLHttpRequest on 401 response

Relates to / Closes gh-16103
spring-projects · Dec 13, 2024 · c1c935c · c1c935c
1 parent 5a81a1f
commit c1c935c
Showing 1 changed file with 9 additions and 0 deletions.
diff --git a/docs/modules/ROOT/pages/servlet/authentication/passwords/basic.adoc b/docs/modules/ROOT/pages/servlet/authentication/passwords/basic.adoc
@@ -22,6 +22,15 @@ image:{icondir}/number_3.png[] Since the user is not authenticated, xref:servlet
 The configured xref:servlet/authentication/architecture.adoc#servlet-authentication-authenticationentrypoint[`AuthenticationEntryPoint`] is an instance of javadoc:org.springframework.security.web.authentication.www.BasicAuthenticationEntryPoint[], which sends a WWW-Authenticate header.
 The `RequestCache` is typically a `NullRequestCache` that does not save the request since the client is capable of replaying the requests it originally requested.
 
+[NOTE]
+====
+The default HTTP Basic Auth Provider will suppress both Response body and `WWW-Authenticate` header in the 401 response when
+the request was made with a `X-Requested-By: XMLHttpRequest` header. This allows frontends to implement their own
+authentication code, instead of triggering the browser login dialog.
+To override, implement your own
+javadoc:org.springframework.security.web.authentication.www.BasicAuthenticationEntryPoint[] .
+====
+
 When a client receives the `WWW-Authenticate` header, it knows it should retry with a username and password.
 The following image shows the flow for the username and password being processed: