When the UI starts up and makes a call to auth to see if security is enabled, it checks for 401.
In the use-case of running behind a vip, this call may return a 503 (service not available), while auth/router are starting up. UI considers this a response, and since it's not 401, it incorrectly interprets it as security disabled.
The only current workaround is when running behind a vip, one must startup services in order (UI last).
Fixed a problem with the CDAP UI not handling "5xx" error codes correctly.