When someone browses to a page without the required permission, Plone redirects him to the login page. To do this Plone creates a 302 redirect.
Is this behavior somehow customizable? Can I configure it to return a plain 401 Unauthorized response?
A client has asked us to render a special HTML to the users that access private content. They have already achieved this for 404 Not Found pages in nginx or Apache handling the 404 error. With the 302 redirect to the login page we can't get that, so that's the reason I am asking on how to customize this behavior to have the 401 Unauthorized response.
I don't think this can be changed through Plone configuration, but you could override the RequireLoginView and/or the InsufficientPrivilegesView in the code. (In older Plone versions these are skin scripts.)
I'd have thought you could also customize the behaviour of nginx or apache for status 302. Do you have a specific problem there?
The point is that if I add some special behavior for the 302 redirect in nginx/apache, all 302 redirects will be handled and not only the ones created by the "redirect-to-login-form".
The important bits there are 1) error_page 401 =200 block, to tell nginx to treat the 401 error as a 200 response code and show the /custom _401.html page, which in the following line is mapped to a html page in the file system and 2) proxy_intercept_errors on to let nginx handle errors created by Plone despite using proxy_pass.