Mark Hammond wrote: > * The current implementation still has a problem in that it neglects to > override response._unauthorized(). This method adds HTTP basic auth > headers - so even when HTTP auth is disabled, you can end up with a HTTP > challenge being issued. I fixed this now.