[ https://issues.apache.org/jira/browse/CALCITE-1915?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Josh Elser resolved CALCITE-1915. --------------------------------- Resolution: Fixed Fixed in https://git-wip-us.apache.org/repos/asf?p=calcite-avatica.git;a=commit;h=bc0e8bf5b287ca27b35df30b1568c8c389f70b4f > Workaround Jetty SpnegoAuthenticator bug where no challenge is sent > ------------------------------------------------------------------- > > Key: CALCITE-1915 > URL: https://issues.apache.org/jira/browse/CALCITE-1915 > Project: Calcite > Issue Type: Bug > Components: avatica > Reporter: Josh Elser > Assignee: Josh Elser > Fix For: avatica-1.11.0 > > > I stumbled across what I think is a bug in Jetty per the RFC-7616. The RFC > reads (to me) as the following: > When a client sends an authorization header that is not capable of being used > to authenticate via SPNEGO, the server should send back the > WWW-Authentication: Negotiate HTTP header with a status code of HTTP/401. > Jetty will only send this challenge+401 when *no* Authorization header is > provided. > In the case where Avatica is sitting behind a reverse-proxy, the proxy _may_ > choose to pass along another authorization header. Jetty (and Avatica) should > still respond to say "You need to authenticate over SPNEGO". > At least Jetty dev seems to agree with my assessment: > https://github.com/eclipse/jetty.project/issues/1698. We can easily work > around this in Avatica while we wait to get a Jetty release which has this > fixed. -- This message was sent by Atlassian JIRA (v6.4.14#64029)