You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@calcite.apache.org by "Istvan Toth (Jira)" <ji...@apache.org> on 2024/04/15 07:22:00 UTC
[jira] [Created] (CALCITE-6364) HttpClient SPENGO support is deprecated
Istvan Toth created CALCITE-6364:
------------------------------------
Summary: HttpClient SPENGO support is deprecated
Key: CALCITE-6364
URL: https://issues.apache.org/jira/browse/CALCITE-6364
Project: Calcite
Issue Type: Bug
Components: avatica
Reporter: Istvan Toth
The Avatica Java client depends on Apache HttpClient's Kerberos/SPNEGO implementation.
According to HTTPCLIENT-1625 that implementation is not secure, and is deprecated in newer versions.
Unfortunately, HTTPCLIENT-1625 is very scant on details, and since the reason given for deprecation is the lack of time to fix it, it is likely not a trivial fix.
Unfortunately, Avatica depends heavily on httpclient, and replacing it would it would be a big job.
While Avatica in theory has a configurable Http Client implementation, the only non-httpclient implementation is more of a POC, and does not support ANY authentication methods.
I can see these options:
1. Find an another http client library, and use it in Avatica
2. Copy the SPENGO auth code from httpclient, and fix it in Avatica
3. Fix the SPENGO auth code in httpclient.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)