[jira] [Commented] (SOLR-8887) Solr Security features cannot export the internal, deprecated DefaultHttpClient class as part of their user facing API.

Wed, 23 Mar 2016 10:13:55 -0700 

    [ 
https://issues.apache.org/jira/browse/SOLR-8887?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15208791#comment-15208791
 ] 

Mark Miller commented on SOLR-8887:
-----------------------------------

I don't even see how you deal with this in a strong back compat way but break 
it in 7, and lock us into the HttpClient impl for a whole major version every 
time. These security classes need very explicit access it looks :( Not 
something you can just abstract away.

Really, these are Java APIs and I'd say we don't promise strong back compat 
between minor versions anyway though. Let's fix our security impls, doc it 
better, and move on. But it seems this has also been exposed as part of a 
generic security plugin API, which gives me pause again. But those plugins are 
new and no more special than searchhandlers or searchcomponents, which can also 
break between minor releases depending on the classes you are accessing. I  
think we should update all of it and fix our connection management now rather 
than wait till version 7. Making an internal, deprecated class a core part of a 
plugin api means that plugin api is fairly subject to change I think.

> Solr Security features cannot export the internal, deprecated 
> DefaultHttpClient class as part of their user facing API.
> -----------------------------------------------------------------------------------------------------------------------
>
>                 Key: SOLR-8887
>                 URL: https://issues.apache.org/jira/browse/SOLR-8887
>             Project: Solr
>          Issue Type: Bug
>            Reporter: Mark Miller
>            Priority: Critical
>             Fix For: master
>
>
> Seems security now really depends on HttpClientConfigurer. That class was 
> only used for tests previously, and was at best completely unsupported. We 
> can't promise an API that locks us into an internal, low level, class from a 
> lib. Especially a deprecated one. Solr wants to own the http layer, not get 
> locked into impls.
> We need to stop using DefaultHttpClient, and it's going to break this stuff.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to