[jira] [Commented] (CALCITE-4152) Avoid SPNEGO re-negotiation for each request

[Josh Elser (Jira)]

    [ 
https://issues.apache.org/jira/browse/CALCITE-4152?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17257137#comment-17257137
 ] 

Josh Elser commented on CALCITE-4152:
-------------------------------------

{code:java}
    2020-12-31 23:21:35,831 [qtp2048434399-16] DEBUG - COMMIT for / on 
HttpChannelOverHttp@584ac69e{s=HttpChannelState@5cea67c6{s=HANDLING 
rs=COMPLETING os=COMMITTED is=READY awp=false se=false i=false 
al=0},r=2,c=false/false,a=HANDLING,uri=//localhost:51706/,age=283}
    200 null HTTP/1.1
    Date: Fri, 01 Jan 2021 04:21:35 GMT
    WWW-Authenticate: Negotiate 
oYH1MIHyoAMKAQChCwYJKoZIhvcSAQICom4EbGBqBgkqhkiG9xIBAgICAG9bMFmgAwIBBaEDAgEPok0wS6ADAgERokQEQtpZnCRCej2MpfcD4oGTteO70BdUVSdd7Y4o/hqCP7ZB6YcXORaqxcEHjVjRLCZk1MLueoDiUO/YQh2CruAbVWMIBaNuBGxgagYJKoZIhvcSAQICAgBvWzBZoAMCAQWhAwIBD6JNMEugAwIBEaJEBELaWZwkQno9jKX3A+KBk7Xju9AXVFUnXe2OKP4agj+2QemHFzkWqsXBB41Y0SwmZNTC7nqA4lDv2EIdgq7gG1VjCAU=
    Set-Cookie: JSESSIONID=node01mx0ketk9hfx2166mjptrygys60.node0; Path=/
    Expires: Thu, 01 Jan 1970 00:00:00 GMT
    Content-Type: application/octet-stream;charset=utf-8 {code}
With the new ConfigurableSpnegoAuthenticator/LoginService, Jetty will 
automatically send back a JSESSIONID cookie and use that, as long as the 
provided "duration" for cookie validity is not exceeded. Pretty slick.

We'll have to go through the other stuff that hadoop-auth does and make sure 
that we don't need anything else (like {{Secure}} or {{HttpOnly}} options on 
that cookie.).

> Avoid SPNEGO re-negotiation for each request
> --------------------------------------------
>
>                 Key: CALCITE-4152
>                 URL: https://issues.apache.org/jira/browse/CALCITE-4152
>             Project: Calcite
>          Issue Type: Improvement
>          Components: avatica
>            Reporter: Istvan Toth
>            Assignee: Josh Elser
>            Priority: Major
>
> When using SPNEGO authentication with Avatica, every HTTP request 
> re-initiates the negotiation, doubling the number HTTP requests.
> Consider switching to cookies after the initial SPNEGO authentication 
> succeeds.
> Jetty ticket that discusses the issue: 
> [https://github.com/eclipse/jetty.project/issues/2868]
> Description of the Knox implementation
> [https://cwiki.apache.org/confluence/display/KNOX/2017/02/24/Hadoop+Auth+%28SPNEGO+and+delegation+token+based+authentication%29+with+Apache+Knox]



--
This message was sent by Atlassian Jira
(v8.3.4#803005)