On Sun, 2021-11-28 at 16:46 +0100, Michael Osipov wrote: > Am 2021-11-27 um 11:01 schrieb Oleg Kalnichevski: > > On Fri, 2021-11-26 at 18:39 +0100, Michael Osipov wrote: > > > Am 2021-11-23 um 20:14 schrieb Oleg Kalnichevski: > > > > Folks > > > > > > > > Here's my proposal > > > > > > > > HttpClient 5.2: > > > > > > > > * Announce the plan to deprecate and eventually remove NTLM > > > > support > > > > and experimental SPNEGO / Kerberos support > > > > > > > > * Ask downstream projects to get in touch with us. Invite > > > > interested > > > > parties to participate in Kerberos support improvements > > > > > > OK for me. > > > > > > > HttpClient 5.3: > > > > > > > > * Make NTLM / SPNEGO / Kerberos disabled by default requiring > > > > an > > > > explicit opt-in from the user. Mark respective implementations > > > > deprecated. > > > > > > Also OK for me also. I have explicitly disabled SPNEGO for Wagon > > > some > > > time ago. It simply did not make any sense. > > > > > > > * Remove stateful connection support > > > ^^^^^^^^^^^^^^^^^^^^^^ > > > This contradicts the option still to explicitly enable to > > > providers. > > > Did you mistype? > > > > > > > Hi Michael > > > > > > What I propose is that the support for connection state tracking be > > removed in 5.3. It is an extra security mechanism presently used by > > NTLM only. It adds a lot of otherwise unnecessary complexity to the > > connection pooling logic and the APIs. I would like to get rid of > > it > > sooner. > > I see, I am completely unaware of this code, frankly. But when this > is > removed, how is the NTLM scheme going to work at all?
This is about pooling of authenticated (stateful) connections, not about authentication. NTLM handshake will work as before but the connection manager will no longer take NTLM state into account. The users will have to decide whether or not they want different users to share the same pool of NTLM connections. HttpClient will no longer do that for them. > It requires > connection tracking for sure. Sorry for playing stupid, but you code > knodledge is magnitudes apart from me. > I hope that the curent NTLM module is explicitly excluded from > HTTP/2 > because it is not compatible with concurrent streams on one TCP > connection. See > https://docs.microsoft.com/en-us/iis/get-started/whats-new-in-iis-10/http2-on-iis#when-is-http2-not-supported > Presently we do not. One more reason to disable NTLM by default. > Will you prepare a PR for this somehwere next year? > I surely will. Oleg --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@hc.apache.org For additional commands, e-mail: dev-h...@hc.apache.org
