Why does destroy action trigger HTTP authentication in Production in Rails 3?

Screenshot of what happens when I press 'delete': http://twitpic.com/4mljuy

This is what I see in my production.log:

Started POST "/clients/1" for 127.0.0.1 at 2011-04-20 13:48:26 -0500
  Processing by ClientsController#destroy as JSON
  Parameters: {"id"=>"1"}
nil
Completed   in 3ms

This is my destroy action in my controller:

def destroy
     client = Client.find(params[:id])
     client.destroy
     respond_to do |format|
        format.html { redirect_to("/") }
        format.js   { render :json => ['client',params[:id]].to_json, :layout => false }
    end
end

This is the delete link in my view:

<span class="icon destroy-icon" data-destroy-title="Delete <%= client.email %>?" data-destroy-url="<%= client_path(client) %>" data-compv-mapping="clientDestroyFn" title="Delete"> </span>

Here is the JS:

$('[data-destroy-url]').live('click', function(e){
    console.debug("Clicked Destroy");
    var element = $(this);
    var mapping = compv.tools.getVariableFromString(element.attr("data-compv-mapping"), compv);
    var dialog = $("div#" + mapping.dialog);
    dialog.dialog('option', 'title', element.attr("data-destroy-title"));
    dialog.dialog("option", 
        "buttons", [
        { text: "No",
          click: function(){
            dialog.dialog('close');
        }
        },
    { text: "Yes, do it!",
      click: function() {
        dialog.dialog('close');
        $.destroy({
            url: element.attr('data-destroy-url'),
            success: mapping.success
        });
    }}
    ]);
    dialog.dialog('open');
});

Btw, this only happens when RAILS_ENV=production and not development.

Edit: Here is my application controller:

class ApplicationController < ActionController::Base
  helper :all
  helper_method :current_user, :logged_in?

  protect_from_forgery
  before_filter :set_current_user开发者_StackOverflow中文版
  before_filter :authenticate_user!

  def set_xhr_flash
    flash.discard if request.xhr?
  end

  def correct_safari_and_ie_accept_headers
    ajax_request_types = ['text/javascript', 'application/json', 'text/xml']
    request.accepts.sort! { |x, y| ajax_request_types.include?(y.to_s) ? 1 : -1 } if request.xhr?
  end

  protected 

  def set_current_user
    logger.info current_user.inspect
    Authorization.current_user = current_user
    #User.current = current_user
  end

    # def after_sign_in_path_for(resource)
    #       if resource.is_a?(User) && resource.has_trial_expired?
    #           return url_for(:settings)
    #       end
    #       super       
    #   end

end

Edit2: When I tried to delete a stage (which is an object), I got this message in my log file:

Started POST "/stages/58" for 127.0.0.1 at 2011-04-20 23:18:13 -0500
  Processing by StagesController#destroy as JSON
  Parameters: {"id"=>"58"}
  User Load (1.6ms)  SELECT "users".* FROM "users" WHERE "users"."id" = 11 LIMIT 1
nil
Permission denied: No matching rules found for destroy for #<Authorization::AnonymousUser:0x000001052659c0 @role_symbols=[:guest]> (roles [:guest], privileges [:destroy], context :stages).
Rendered text template (0.0ms)
Completed 403 Forbidden in 232ms (Views: 0.9ms | ActiveRecord: 1.6ms)

Update to the latest jquery ujs driver which includes the CSRF token in each request to prevent your session from being reset since the changes in 3.0.4.

You probably have a before filter on the application controller or on your controller with basic auth requested.

Or, do you have any gems for authenication?