You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@calcite.apache.org by "Istvan Toth (Jira)" <ji...@apache.org> on 2024/04/15 07:22:00 UTC

[jira] [Created] (CALCITE-6364) HttpClient SPENGO support is deprecated

Istvan Toth created CALCITE-6364:
------------------------------------

             Summary: HttpClient SPENGO support is deprecated
                 Key: CALCITE-6364
                 URL: https://issues.apache.org/jira/browse/CALCITE-6364
             Project: Calcite
          Issue Type: Bug
          Components: avatica
            Reporter: Istvan Toth


The Avatica Java client depends on Apache HttpClient's Kerberos/SPNEGO implementation.
According to HTTPCLIENT-1625 that implementation is not secure, and is deprecated in newer versions.

Unfortunately, HTTPCLIENT-1625 is very scant on details, and since the reason given for deprecation is the lack of time to fix it, it is likely not a trivial fix.

Unfortunately, Avatica depends heavily on httpclient, and replacing it would it would be a big job.

While Avatica in theory has a configurable Http Client implementation, the only non-httpclient implementation is more of a POC, and does not support ANY authentication methods.

I can see these options:

1. Find an another http client library, and use it in Avatica
2. Copy the SPENGO auth code from httpclient, and fix it in Avatica
3. Fix the SPENGO auth code in httpclient.



--
This message was sent by Atlassian Jira
(v8.20.10#820010)