diff --git a/app/controllers/application_controller.rb b/app/controllers/application_controller.rb
index b297aa7..43257b2 100644
--- a/app/controllers/application_controller.rb
+++ b/app/controllers/application_controller.rb
@@ -119,7 +119,7 @@ class ApplicationController < ActionController::Base
       if (key = api_key_from_request)
         # Use API key
         user = User.find_by_api_key(key)
-      else
+      elsif request.authorization.to_s =~ /\ABasic /i
         # HTTP Basic, either username/password or API key/random
         authenticate_with_http_basic do |username, password|
           user = User.try_to_login(username, password) || User.find_by_api_key(username)
diff --git a/test/integration/api_test/authentication_test.rb b/test/integration/api_test/authentication_test.rb
index 3a6a4d6..016ab11 100644
--- a/test/integration/api_test/authentication_test.rb
+++ b/test/integration/api_test/authentication_test.rb
@@ -28,6 +28,16 @@ class Redmine::ApiTest::AuthenticationTest < Redmine::ApiTest::Base
     Setting.rest_api_enabled = '0'
   end
 
+  def test_api_should_trigger_basic_http_auth_with_basic_authorization_header
+    ApplicationController.any_instance.expects(:authenticate_with_http_basic).once
+    get '/users/current.xml', {}, credentials('admin')
+  end
+
+  def test_api_should_not_trigger_basic_http_auth_with_non_basic_authorization_header
+    ApplicationController.any_instance.expects(:authenticate_with_http_basic).never
+    get '/users/current.xml', {}, 'HTTP_AUTHORIZATION' => 'Digest foo bar'
+  end
+
   def test_api_request_should_not_use_user_session
     log_user('jsmith', 'jsmith')