[
https://issues.apache.org/jira/browse/CALCITE-1915?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Josh Elser resolved CALCITE-1915.
---------------------------------
Resolution: Fixed
Fixed in
https://git-wip-us.apache.org/repos/asf?p=calcite-avatica.git;a=commit;h=bc0e8bf5b287ca27b35df30b1568c8c389f70b4f
> Workaround Jetty SpnegoAuthenticator bug where no challenge is sent
> -------------------------------------------------------------------
>
> Key: CALCITE-1915
> URL: https://issues.apache.org/jira/browse/CALCITE-1915
> Project: Calcite
> Issue Type: Bug
> Components: avatica
> Reporter: Josh Elser
> Assignee: Josh Elser
> Fix For: avatica-1.11.0
>
>
> I stumbled across what I think is a bug in Jetty per the RFC-7616. The RFC
> reads (to me) as the following:
> When a client sends an authorization header that is not capable of being used
> to authenticate via SPNEGO, the server should send back the
> WWW-Authentication: Negotiate HTTP header with a status code of HTTP/401.
> Jetty will only send this challenge+401 when *no* Authorization header is
> provided.
> In the case where Avatica is sitting behind a reverse-proxy, the proxy _may_
> choose to pass along another authorization header. Jetty (and Avatica) should
> still respond to say "You need to authenticate over SPNEGO".
> At least Jetty dev seems to agree with my assessment:
> https://github.com/eclipse/jetty.project/issues/1698. We can easily work
> around this in Avatica while we wait to get a Jetty release which has this
> fixed.
--
This message was sent by Atlassian JIRA
(v6.4.14#64029)
