Explain behaviour with XMLHttpRequest on 401 response

MartinEmrich · sjohnr · commit 21fb5f92cf60 · 2025-03-21T15:05:22.000-05:00
Relates to / Closes gh-16103
diff --git a/docs/modules/ROOT/pages/servlet/authentication/passwords/basic.adoc b/docs/modules/ROOT/pages/servlet/authentication/passwords/basic.adoc
@@ -22,6 +22,15 @@ image:{icondir}/number_3.png[] Since the user is not authenticated, xref:servlet
 The configured xref:servlet/authentication/architecture.adoc#servlet-authentication-authenticationentrypoint[`AuthenticationEntryPoint`] is an instance of javadoc:org.springframework.security.web.authentication.www.BasicAuthenticationEntryPoint[], which sends a WWW-Authenticate header.
 The `RequestCache` is typically a `NullRequestCache` that does not save the request since the client is capable of replaying the requests it originally requested.
 
+[NOTE]
+====
+The default HTTP Basic Auth Provider will suppress both Response body and `WWW-Authenticate` header in the 401 response when
+the request was made with a `X-Requested-By: XMLHttpRequest` header. This allows frontends to implement their own
+authentication code, instead of triggering the browser login dialog.
+To override, implement your own
+javadoc:org.springframework.security.web.authentication.www.BasicAuthenticationEntryPoint[] .
+====
+
 When a client receives the `WWW-Authenticate` header, it knows it should retry with a username and password.
 The following image shows the flow for the username and password being processed:
 
