[
https://issues.apache.org/jira/browse/CALCITE-6364?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17838470#comment-17838470
]
Istvan Toth commented on CALCITE-6364:
--------------------------------------
5.3 even removes SPNEGO from DefaultAuthenticationStrategy, so that a custom
AuthenticationStrategy is required to use it.
> HttpClient SPENGO support is deprecated
> ---------------------------------------
>
> Key: CALCITE-6364
> URL: https://issues.apache.org/jira/browse/CALCITE-6364
> Project: Calcite
> Issue Type: Bug
> Components: avatica
> Reporter: Istvan Toth
> Priority: Critical
>
> The Avatica Java client depends on Apache HttpClient's Kerberos/SPNEGO
> implementation.
> According to HTTPCLIENT-1625 that implementation is not secure, and is
> deprecated in newer versions.
> Unfortunately, HTTPCLIENT-1625 is very scant on details, and since the reason
> given for deprecation is the lack of time to fix it, it is likely not a
> trivial fix.
> Unfortunately, Avatica depends heavily on httpclient, and replacing it would
> it would be a big job.
> While Avatica in theory has a configurable Http Client implementation, the
> only non-httpclient implementation is more of a POC, and does not support ANY
> authentication methods.
> I can see these options:
> 1. Find an another http client library, and use it in Avatica
> 2. Copy the SPENGO auth code from httpclient, and fix it in Avatica
> 3. Fix the SPENGO auth code in httpclient.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
