On Fri, 2021-11-26 at 18:39 +0100, Michael Osipov wrote: > Am 2021-11-23 um 20:14 schrieb Oleg Kalnichevski: > > Folks > > > > Here's my proposal > > > > HttpClient 5.2: > > > > * Announce the plan to deprecate and eventually remove NTLM support > > and experimental SPNEGO / Kerberos support > > > > * Ask downstream projects to get in touch with us. Invite > > interested > > parties to participate in Kerberos support improvements > > OK for me. > > > HttpClient 5.3: > > > > * Make NTLM / SPNEGO / Kerberos disabled by default requiring an > > explicit opt-in from the user. Mark respective implementations > > deprecated. > > Also OK for me also. I have explicitly disabled SPNEGO for Wagon > some > time ago. It simply did not make any sense. > > > * Remove stateful connection support > ^^^^^^^^^^^^^^^^^^^^^^ > This contradicts the option still to explicitly enable to > providers. > Did you mistype? >
Hi Michael What I propose is that the support for connection state tracking be removed in 5.3. It is an extra security mechanism presently used by NTLM only. It adds a lot of otherwise unnecessary complexity to the connection pooling logic and the APIs. I would like to get rid of it sooner. > > > * Invite interested parties to participate in Kerberos support > > improvements > > > > > > HttpClient 6.0: > > > > * Remove NTLM support > > > > * Remove SPNEGO / Kerberos support if still broken > > Can you answer my previous request? > > What is important to know for you when you want to remove code: The > > security context loop is always client initiated and required to be > > completed by a token sent from the server with the response unless > > it > > is 401/407. So the HttpClient needs to store the context somewhere > > until it receives the response, completes security context and > > frees > > the security context. This is on a per-request basis. If the > > context > > is not completed with the response then the authentication should > > not > > be trusted, either an exception should be through or a > > warning/error > > must be logged. > > Will this still be possible for SPNEGO to be implemented properly > after > the remove of stateful connection support? Of course. There will be no changes to the Auth APIs. It will always be possible to add NTLM and Kerberos as extra authentication schemes if desired. Oleg --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@hc.apache.org For additional commands, e-mail: dev-h...@hc.apache.org
