The change made for JENKINS-72636 breaks scripted downloads with wget
If you follow the documentation https://www.jenkins.io/doc/book/system-administration/authenticating-scripted-clients/#shell-with-wget and use the command

wget --auth-no-challenge \
    --user=user --password=apiToken \
    http://jenkins.example.com/job/yourjob/lastSuccessfulBuild/artifact/build_record.txt

wget will pass the username and password both for the initial request to the jenkins URL.
Upon receiving the redirect to the resource URL, wget will again supply the BASIC authentication.

The change made causes the download to fail with a 400 error and a cryptic error message in the logs `hudson.security.AccessDeniedException3: anonymous is missing the Run/Artifacts permission`

Currently a work around is to use a `.netrc` so that the credentials are only sent for the main jenkins domain and not the resource subdomain