The "flex-messaging-proxy" module relied on the commons-httpclient 3.1 library, which had CVE security vulnerabilities. To update flex-messaging-proxy, this dependency would need to be replaced by the newer org.apache.httpcomponents.httpclient, which has a different API (and no migration guide from the older version). It was found that some of the features of the proxy service exposed commons-httpclient internals that seem to no longer exist in org.apache.httpcomponents.httpclient. This made it very difficult to upgrade flex-messaging-proxy, so we decided to disable it instead, so that other BlazeDS features could be updated and released to fix other security vulnerabilities.
However, we would be open to a community contribution that upgrades flex-messaging-proxy to use org.apache.httpcomponents.httpclient. The original source code can be found in the blazeds-4.7.3 tag. -- Josh Tynjala Bowler Hat LLC <https://bowlerhat.dev> On Thu, Aug 24, 2023 at 11:49 PM 吉川威雄 / YOSHIKAWA,TAKAO < takao.yoshikawa...@hitachi.com> wrote: > Hi, > > > > What is the reason why the following class features have been removed from > BlazeDS 4.8.0? > > Are there any alternative solutions or countermeasures for this? > > > > flex.messaging.services.HTTPProxyService > > flex.messaging.services.http.HTTPProxyAdapter > > flex.messaging.services.http.SOAPProxyAdapter > > > > Thanks, > > Takao >
