Am 2021-11-23 um 20:14 schrieb Oleg Kalnichevski:
Folks
Here's my proposal
HttpClient 5.2:
* Announce the plan to deprecate and eventually remove NTLM support
and experimental SPNEGO / Kerberos support
* Ask downstream projects to get in touch with us. Invite interested
parties to participate in Kerberos support improvements
OK for me.
HttpClient 5.3:
* Make NTLM / SPNEGO / Kerberos disabled by default requiring an
explicit opt-in from the user. Mark respective implementations
deprecated.
Also OK for me also. I have explicitly disabled SPNEGO for Wagon some
time ago. It simply did not make any sense.
* Remove stateful connection support
^^^^^^^^^^^^^^^^^^^^^^
This contradicts the option still to explicitly enable to providers.
Did you mistype?
* Invite interested parties to participate in Kerberos support
improvements
HttpClient 6.0:
* Remove NTLM support
* Remove SPNEGO / Kerberos support if still broken
Can you answer my previous request?
What is important to know for you when you want to remove code: The
security context loop is always client initiated and required to be
completed by a token sent from the server with the response unless it
is 401/407. So the HttpClient needs to store the context somewhere
until it receives the response, completes security context and frees
the security context. This is on a per-request basis. If the context
is not completed with the response then the authentication should not
be trusted, either an exception should be through or a warning/error
must be logged.
Will this still be possible for SPNEGO to be implemented properly after
the remove of stateful connection support?
HttpClient 6.0 is not going to happen sooner than 2025. There should
plenty of time for downstream projects to re-act and adjust.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@hc.apache.org
For additional commands, e-mail: dev-h...@hc.apache.org
