Jetty 9.x will be soon no more maintained

[sbernard31]

Jetty 9/10/11 all go full EOL on January 1, 2025. (no more updates)

source :

• https://github.com/jetty/jetty.project/pull/12012#issuecomment-2429573589
• https://github.com/jetty/jetty.project/issues/7958

The only supported one will be v12 which use 17 as minimum version ...

So either :

• we migrate to v12 which will lead to a painful situation where we have different java constraint by leshan component ... :disappointed:
• we don't migrate this is just a demo (I do not like so much this one)
• we find an alternative which is compliant with java8

( When we will remove jetty 9.x dependencies, we should remove corresponding CVE in .trivyignore)

	Library	issue
:x:	Jetty 12	requires java 17+
:x:	HttpServer (from JDK)	No SSE, Static resource since java18
:x:	Undertow	need java 11 since 2.3
:x:	nanoHttpD	no more maintained
:x:	Tiny Java Web Server	hosted on sourceforce :scream:
:x:	Netty	Netty 4 support java8 but for how long it will be maintained ? and sounds strange to use netty for implementing a simple Http Server and no SSE API :thinking:. Note that we already use Netty 4 for coap+tcp

[jvermillard]

Another alternative is to use the HTTP server in the JDK: https://docs.oracle.com/en/java/javase/11/docs/api/jdk.httpserver/com/sun/net/httpserver/HttpServer.html It's here since forever (1.6?) in the com.sun.* namespace but since https://openjdk.org/jeps/408 in java 18 it's pretty sure it will not go away

[sbernard31]

@jvermillard thx for sharing this !

I think if we can remove a useless dependencies this is a good thing. Do you know if there is any support of Server Sent Event ? (I will not be surprised if there was no support of it)

[jvermillard]

never tried: https://stackoverflow.com/questions/67915286/java-sse-server-with-com-sun-net-httpserver-httpserver another option is long polling which should work for sure

[sbernard31]

I take a look at HttpServer there is nothing to serve static resources in java8. They add something like that with java18.

Of course we could implement our own HttpHandler which do that but if we need to re-code everything(static resource, SSE, ...) not sure this is a good move. (Especially from a security point of view)

Too bad, I liked this idea to use JDK directly :disappointed:

[sbernard31]

As I didn't find any good solution... I currently consider to migrate to jetty 12 and so have different minimum java constraint. (not sure how this will affect the build, theoretically not so much as we didn't have any tests based on jetty)

This is not ideal but I'm afraid that it will be hard to keep to java8 for all leshan module anyway because more and more libraries move to java 11 or 17... I mean I will not surprised if in the future java minimal version is not the same for each transport layer implementation... :disappointed:

I try to fight against the idea at the back of my mind, that maybe using HttpServer from JDK and write support of SSE and static resource on my own is not so much of code. :sweat_smile:

[sbernard31]

A try to move to jetty 12 : #1667