About Authcomponent 302 response

Dear all,

When using Authcomponent, I came across this issue:
I have some apis in UsersController, and some apis in OrdersController.
Once I delete the session cookie Authcomponent set, or log out,
I try to call those apis, for those apis in UsersController, it returns 302 response with Location header pointing to
the login page, which is as expected.
But for those apis in OrdersController, it returns 200 OK with the html code of login page in the body, looks strange.
Could someone help to explain why, and how to fix it? I’d like for those apis in OrdersController, it also return 302 instead.