The browser's HTTP user-agent obviously follows the HTTP protocol which says the following for 401.
The request requires user authentication. The response MUST include a WWW-Authenticate header field (section 14.47) containing a challenge applicable to the requested resource.
The WWW-Authenticate response-header field MUST be included in 401 (Unauthorized) response messages. The field value consists of at least one challenge that indicates the authentication scheme(s) and parameters applicable to the Request-URI.
where the contents of a challenge may itself contain a comma-separated list of authentication parameters. The authentication parameter realm is defined for all authentication schemes:With some trial and error, we found that the pop up is triggered not due to the presence of 401 but due to the presence of the challenge.
So, as a web service developer, if you want to help service consumers disable the pop up and still send 401, you could use a trick. Replace Basic with your own scheme, e.g. xBasic as shown below.
To do this with Spring Security, you would want to override the commence method of the default
Write your own entry point, e.g. MyBasicAuthenticationEntryPoint as shown below.
Then plugin your entry point into the basic authentication filter as follows:
Thanks to Venkat Mantirraju in helping figure this out.