Istvan Toth created CALCITE-6364:
------------------------------------
Summary: HttpClient SPENGO support is deprecated
Key: CALCITE-6364
URL: https://issues.apache.org/jira/browse/CALCITE-6364
Project: Calcite
Issue Type: Bug
Components: avatica
Reporter: Istvan Toth
The Avatica Java client depends on Apache HttpClient's Kerberos/SPNEGO
implementation.
According to HTTPCLIENT-1625 that implementation is not secure, and is
deprecated in newer versions.
Unfortunately, HTTPCLIENT-1625 is very scant on details, and since the reason
given for deprecation is the lack of time to fix it, it is likely not a trivial
fix.
Unfortunately, Avatica depends heavily on httpclient, and replacing it would it
would be a big job.
While Avatica in theory has a configurable Http Client implementation, the only
non-httpclient implementation is more of a POC, and does not support ANY
authentication methods.
I can see these options:
1. Find an another http client library, and use it in Avatica
2. Copy the SPENGO auth code from httpclient, and fix it in Avatica
3. Fix the SPENGO auth code in httpclient.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
