[jira] [Commented] (HTTPCLIENT-2402) Handle SecurityManager removal

Mon, 20 Oct 2025 10:44:06 -0700 


    [ 
https://issues.apache.org/jira/browse/HTTPCLIENT-2402?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=18031227#comment-18031227
 ] 

Istvan Toth commented on HTTPCLIENT-2402:
-----------------------------------------

I have poked around in the Async code, and it seems that using the thread-level 
Subject for the Async client is questionable even before Java 22.

All worker threads are started when the client is built, and are running with 
the effective Subject of the Thread that created the client. 

Users, especially coming from the classic interface may expect that the 
effective Subject of the Thread firing off the request will be used, which is 
not the case.

So while we could hack the Thread implementation we use to preserve the pre 
JDK22 behaviour, I don't think it's worth the effort.

IMO we shoud simply document the current behaviour.

- Using the Thread Security Context (Subject)  works fine and as expected for 
the Classic client.
- For the Async Client using the Thread Security Context is not supported:
 - For JDK21 and earlier, the Security Context of the Thread building the 
client is used
 - For JDK24 and later the Thread Security Context is always ignored
 - JD22-23 behaves like JDK2f is the SecurityManager is enabled, and like JDK24 
otherwise

WDYT [~michael-o] [~olegk] ?

> Handle SecurityManager removal
> ------------------------------
>
>                 Key: HTTPCLIENT-2402
>                 URL: https://issues.apache.org/jira/browse/HTTPCLIENT-2402
>             Project: HttpComponents HttpClient
>          Issue Type: Bug
>            Reporter: Istvan Toth
>            Priority: Major
>
> There are two aspect to these changes: 
> - replacing Subject.doAs() with Subject.callAs()
> - handling the changed thread semantics, where the Current Subject is nonger 
> propagated to new Threads.
> Httpclient doesn't currently use the disabled methods.
> They are used in HTTPCLIENT-2358, which already includes the SecurityUtils to 
> map the doAs/CallAs function based on the JVM version.
> The Subject propagation issue breaks SPNEGO authentication for the Async 
> client, as the Subject is no longer propagated to the executor threads for 
> the Async operations.
> There is no current test for that, I will add new tests to HTTPCLIENT-2358 to 
> cover this case.



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to