[
https://issues.apache.org/jira/browse/CALCITE-1915?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16110172#comment-16110172
]
Josh Elser commented on CALCITE-1915:
-------------------------------------
AIUI, this will land in the next Jetty-9.4 release. As such, until we change
from Jetty-9.2 to 9.4, we'll have to have a workaround.
The change is easy, but writing a test will take a little bit of time. I'll try
to do this tmrw so it doesn't wane.
> Workaround Jetty SpnegoAuthenticator bug where no challenge is sent
> -------------------------------------------------------------------
>
> Key: CALCITE-1915
> URL: https://issues.apache.org/jira/browse/CALCITE-1915
> Project: Calcite
> Issue Type: Bug
> Components: avatica
> Reporter: Josh Elser
> Assignee: Josh Elser
> Fix For: avatica-1.11.0
>
>
> I stumbled across what I think is a bug in Jetty per the RFC-7616. The RFC
> reads (to me) as the following:
> When a client sends an authorization header that is not capable of being used
> to authenticate via SPNEGO, the server should send back the
> WWW-Authentication: Negotiate HTTP header with a status code of HTTP/401.
> Jetty will only send this challenge+401 when *no* Authorization header is
> provided.
> In the case where Avatica is sitting behind a reverse-proxy, the proxy _may_
> choose to pass along another authorization header. Jetty (and Avatica) should
> still respond to say "You need to authenticate over SPNEGO".
> At least Jetty dev seems to agree with my assessment:
> https://github.com/eclipse/jetty.project/issues/1698. We can easily work
> around this in Avatica while we wait to get a Jetty release which has this
> fixed.
--
This message was sent by Atlassian JIRA
(v6.4.14#64029)
