@Anthony Fishbeck @Gordon Smith, please correct me if I do not understand correctly: we should send 401 (not redirect to the login page) for any REST type call if authentication fails. The following rules are used to detect  a REST type call.

1. Any HTTP POST request;

2. Any request which has a BasicAuthentication header;

3. Any CORS calls (any request which has an Origin header).

@Kanghua Wang lets discuss this afternoon and see if we can improve on

1. what causes redirect.

2. what is treated as REST client calls.

That is because ESP allows a client to get the 'resource' files from predefined locations. The default settings of the locations include: esp/files/. So, the 200 OK is sent for http://192.168.3.22:8010/esp/files/stub.htm.

Quick follow up - what I am seeing is the opposite of what I would expect:

When the request is the main landing page, there is no redirect:

But as soon as the first REST style request is made:

Again IMO the redirect only makes sense when the requested resources is a html page.

How about only redirecting if its a "same-origin" request?

or alternatively only redirecting if:

1. The request type is a GET

2. The requested URLs pathname ends in ".html" or ".htm" etc. (we wouldn't want redirects for ".xsd" requests)

3. The requested URLs pathname is blank.

FWIW I would probably be ok if there was no redirect on a POST / OPTIONS request, but that feels a bit specific.