[
https://issues.apache.org/jira/browse/CALCITE-1915?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16113812#comment-16113812
]
ASF GitHub Bot commented on CALCITE-1915:
-----------------------------------------
Github user asfgit closed the pull request at:
https://github.com/apache/calcite-avatica/pull/14
> Workaround Jetty SpnegoAuthenticator bug where no challenge is sent
> -------------------------------------------------------------------
>
> Key: CALCITE-1915
> URL: https://issues.apache.org/jira/browse/CALCITE-1915
> Project: Calcite
> Issue Type: Bug
> Components: avatica
> Reporter: Josh Elser
> Assignee: Josh Elser
> Fix For: avatica-1.11.0
>
>
> I stumbled across what I think is a bug in Jetty per the RFC-7616. The RFC
> reads (to me) as the following:
> When a client sends an authorization header that is not capable of being used
> to authenticate via SPNEGO, the server should send back the
> WWW-Authentication: Negotiate HTTP header with a status code of HTTP/401.
> Jetty will only send this challenge+401 when *no* Authorization header is
> provided.
> In the case where Avatica is sitting behind a reverse-proxy, the proxy _may_
> choose to pass along another authorization header. Jetty (and Avatica) should
> still respond to say "You need to authenticate over SPNEGO".
> At least Jetty dev seems to agree with my assessment:
> https://github.com/eclipse/jetty.project/issues/1698. We can easily work
> around this in Avatica while we wait to get a Jetty release which has this
> fixed.
--
This message was sent by Atlassian JIRA
(v6.4.14#64029)
