If you hit a feed URL, e.g.
http://localhost:9090/api/registry/Default%20Workspace/myArtifact;history
, and do not provide credentials, an HTTP 302 (meaning "requested resource resides temporarily under a different URI") is returned and it redirects you to login.jsp. The correct behavior when hitting a feed URL without credentials should be to return a 404 unauthorized, prompting clients to authenticate. A re-direct would be fine for a non-feed URL (e.g. a web console URL).
I discovered this when using apache HttpClient to authenticate against the service – by default HttpClient does not preemptively pass auth credentials (it will pass them if it gets a 404), so the client kept getting redirected to login.jsp. I finally resolved the issue by forcing HttpClient to pre-emptively authenticate.