As I read the RFC, unauthenticated users requesting a resource which requires authentication should consistently receive a 401 Unauthorized
. From the RFC:
302 Found
: The requested resource resides temporarily under a different URI.
401 Unauthorized
: The request requires user authentication.
Clearly the 302
does not correctly describe your situation and the 401
does.