You wouldn't need to have the header point to a log in page though, you would just have the server handle the post request sent from the browser (or plugin).
Right I see what you're saying, looks like I misread the article a bit. For me it would be an ideal implementation if there could also be some callback functionality, that way it doesn't just have to redirect to a login url the logic can be handled natively (wrong password > try again, success > reload page etc). Even better, instead of pointing to a login page, you could specify a different auth scheme and just point to a JSON or XML file with the various field etc. Whichever way, it isn't going to be utterly trivial I will agree on that.
