[
https://issues.apache.org/jira/browse/CALCITE-6364?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Istvan Toth reassigned CALCITE-6364:
------------------------------------
Assignee: Istvan Toth
> HttpClient SPENGO support is deprecated
> ---------------------------------------
>
> Key: CALCITE-6364
> URL: https://issues.apache.org/jira/browse/CALCITE-6364
> Project: Calcite
> Issue Type: Bug
> Components: avatica
> Reporter: Istvan Toth
> Assignee: Istvan Toth
> Priority: Critical
>
> The Avatica Java client depends on Apache HttpClient's Kerberos/SPNEGO
> implementation.
> According to HTTPCLIENT-1625 that implementation is not secure, and is
> deprecated in newer versions.
> Unfortunately, HTTPCLIENT-1625 is very scant on details, and since the reason
> given for deprecation is the lack of time to fix it, it is likely not a
> trivial fix.
> Unfortunately, Avatica depends heavily on httpclient, and replacing it would
> it would be a big job.
> While Avatica in theory has a configurable Http Client implementation, the
> only non-httpclient implementation is more of a POC, and does not support ANY
> authentication methods.
> I can see these options:
> 1. Find an another http client library, and use it in Avatica
> 2. Copy the SPENGO auth code from httpclient, and fix it in Avatica
> 3. Fix the SPENGO auth code in httpclient.
> 4. Re-Implement SPENGO auth in Avatica (Hadoop does something like that,
> though I'm, not sure how good that is)
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
