[jira] [Commented] (CALCITE-1915) Workaround Jetty SpnegoAuthenticator bug where no challenge is sent

Thu, 03 Aug 2017 14:52:18 -0700 

    [ 
https://issues.apache.org/jira/browse/CALCITE-1915?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16113560#comment-16113560
 ] 

ASF GitHub Bot commented on CALCITE-1915:
-----------------------------------------

GitHub user joshelser opened a pull request:

    https://github.com/apache/calcite-avatica/pull/14

    CALCITE-1915 Work around a Jetty where the SPNEGO challenge is not …

    …sent

You can merge this pull request into a Git repository by running:

    $ git pull https://github.com/joshelser/calcite-avatica 
1915-spnego-challenge

Alternatively you can review and apply these changes as the patch at:

    https://github.com/apache/calcite-avatica/pull/14.patch

To close this pull request, make a commit to your master/trunk branch
with (at least) the following in the commit message:

    This closes #14
    
----
commit d8a74a3e5bea5182c13b639987bdb3a9d4f1e81a
Author: Josh Elser <[email protected]>
Date:   2017-07-27T20:31:59Z

    [CALCITE-1915] Work around a Jetty where the SPNEGO challenge is not sent

----


> Workaround Jetty SpnegoAuthenticator bug where no challenge is sent
> -------------------------------------------------------------------
>
>                 Key: CALCITE-1915
>                 URL: https://issues.apache.org/jira/browse/CALCITE-1915
>             Project: Calcite
>          Issue Type: Bug
>          Components: avatica
>            Reporter: Josh Elser
>            Assignee: Josh Elser
>             Fix For: avatica-1.11.0
>
>
> I stumbled across what I think is a bug in Jetty per the RFC-7616. The RFC 
> reads (to me) as the following:
> When a client sends an authorization header that is not capable of being used 
> to authenticate via SPNEGO, the server should send back the 
> WWW-Authentication: Negotiate HTTP header with a status code of HTTP/401. 
> Jetty will only send this challenge+401 when *no* Authorization header is 
> provided.
> In the case where Avatica is sitting behind a reverse-proxy, the proxy _may_ 
> choose to pass along another authorization header. Jetty (and Avatica) should 
> still respond to say "You need to authenticate over SPNEGO".
> At least Jetty dev seems to agree with my assessment: 
> https://github.com/eclipse/jetty.project/issues/1698. We can easily work 
> around this in Avatica while we wait to get a Jetty release which has this 
> fixed.



--
This message was sent by Atlassian JIRA
(v6.4.14#64029)

Reply via email to