Closed jamezp closed 7 months ago
jansupol
commented
1 year ago I am -1 on this one. First, even if this is not supported by the java.net.http.HttpClient, it does not mean it is not supported by other clients (HttpsUrlConnection, Apache, ...)
~Jersey uses the HostNameVerifier with the HttpClient anyway, after the handshake.~ oops, wrong JDK client.
Jersey does not use it with HttpClient. But I am ok to update the Javadoc informing about the limited use.
jamezp
commented
1 year ago I completely understand and respect the argument. There are ways around this for sure so it's not a huge deal, but just in case others wanted to start using the JDK's HttpClient, it just seemed worth at least putting it out there :)
spericas
commented
1 year ago @jamezp Should we close this one then?
jamezp
commented
1 year ago @spericas We can if no one else agrees they want it deprecated :)
jamezp
commented
7 months ago Closing this as it's not agreed upon which is fine.
I propose we should deprecate the
ClientBuilder.hostnameVerifier(). The JDK HttpClient does not have a way to set this. It does allow this to be disabled, but it's a global setting which doesn't work well for the ClientBuilder. It could also be overridden with some custom HostnameVerifier, however that seems it could lead to security risks.There is an open issue, DK-8213309, to enable this. However, there has been no word from the JDK team to indicate they will add this.
My assumption is this override was added for testing or internal use cases. It seems like something that could be worked around in different ways or a safer manner.