Citing Paul Millar:
"It is a fairly well established convention that an HTTP client should drop the Authorization HTTP request header from subsequent requests if the server replies with a redirection (30x) status code. It is expected that any authorisation needed for the subsequent request is handled by the redirecting server (e.g., by including an authz token in the redirection URL)."

StoRM uses the Commons HTTP Client library which, by default, includes the header in the redirect.