Josh Elser created CALCITE-1915: ----------------------------------- Summary: Workaround Jetty SpnegoAuthenticator bug where no challenge is sent Key: CALCITE-1915 URL: https://issues.apache.org/jira/browse/CALCITE-1915 Project: Calcite Issue Type: Bug Components: avatica Reporter: Josh Elser Assignee: Josh Elser Fix For: avatica-1.11.0
I stumbled across what I think is a bug in Jetty per the RFC-7616. The RFC reads (to me) as the following: When a client sends an authorization header that is not capable of being used to authenticate via SPNEGO, the server should send back the WWW-Authentication: Negotiate HTTP header with a status code of HTTP/401. Jetty will only send this challenge+401 when *no* Authorization header is provided. In the case where Avatica is sitting behind a reverse-proxy, the proxy _may_ choose to pass along another authorization header. Jetty (and Avatica) should still respond to say "You need to authenticate over SPNEGO". At least Jetty dev seems to agree with my assessment: https://github.com/eclipse/jetty.project/issues/1698. We can easily work around this in Avatica while we wait to get a Jetty release which has this fixed. -- This message was sent by Atlassian JIRA (v6.4.14#64029)