calcite-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Josh Elser (JIRA)" <>
Subject [jira] [Created] (CALCITE-1915) Workaround Jetty SpnegoAuthenticator bug where no challenge is sent
Date Tue, 01 Aug 2017 21:57:00 GMT
Josh Elser created CALCITE-1915:

             Summary: Workaround Jetty SpnegoAuthenticator bug where no challenge is sent
                 Key: CALCITE-1915
             Project: Calcite
          Issue Type: Bug
          Components: avatica
            Reporter: Josh Elser
            Assignee: Josh Elser
             Fix For: avatica-1.11.0

I stumbled across what I think is a bug in Jetty per the RFC-7616. The RFC reads (to me) as
the following:

When a client sends an authorization header that is not capable of being used to authenticate
via SPNEGO, the server should send back the WWW-Authentication: Negotiate HTTP header with
a status code of HTTP/401. Jetty will only send this challenge+401 when *no* Authorization
header is provided.

In the case where Avatica is sitting behind a reverse-proxy, the proxy _may_ choose to pass
along another authorization header. Jetty (and Avatica) should still respond to say "You need
to authenticate over SPNEGO".

At least Jetty dev seems to agree with my assessment:
We can easily work around this in Avatica while we wait to get a Jetty release which has this

This message was sent by Atlassian JIRA

View raw message