Josh Elser created CALCITE-1915:
-----------------------------------
Summary: Workaround Jetty SpnegoAuthenticator bug where no
challenge is sent
Key: CALCITE-1915
URL: https://issues.apache.org/jira/browse/CALCITE-1915
Project: Calcite
Issue Type: Bug
Components: avatica
Reporter: Josh Elser
Assignee: Josh Elser
Fix For: avatica-1.11.0
I stumbled across what I think is a bug in Jetty per the RFC-7616. The RFC
reads (to me) as the following:
When a client sends an authorization header that is not capable of being used
to authenticate via SPNEGO, the server should send back the WWW-Authentication:
Negotiate HTTP header with a status code of HTTP/401. Jetty will only send this
challenge+401 when *no* Authorization header is provided.
In the case where Avatica is sitting behind a reverse-proxy, the proxy _may_
choose to pass along another authorization header. Jetty (and Avatica) should
still respond to say "You need to authenticate over SPNEGO".
At least Jetty dev seems to agree with my assessment:
https://github.com/eclipse/jetty.project/issues/1698. We can easily work around
this in Avatica while we wait to get a Jetty release which has this fixed.
--
This message was sent by Atlassian JIRA
(v6.4.14#64029)
