Need to change httpClient bean from commons-httpclient to org.apache.httpcomponents in opensaml2.6.6

[sandhya223]

Can we override httpClient bean from commons-httpclient(3.1) to org.apache.httpcomponents(4.5.13) in SpringSecuritySamlGrailsPlugin in grails-spring-security-saml: 4.0.2.

[valentingoebel]

ArtifactResolutionProfileImpl requires the commons httpclient. However, I understand that declaring a bean with the name "httpClient" in a plugin is not a good idea because its such a common name. I can rename the bean but I am not sure if there is anyone out there who depends on this implementation detail. If I want to ensure no breaking changes I have to declare the HttpClient twice and users would have to manually override it or set a config to disable the obsolete bean.

[valentingoebel]

I have renamed the bean in the 4.0.4 branch but I haven't tested the code yet:

https://github.com/jeffwils/grails-spring-security-saml/commit/fc613e4a2bd3904ff3ed97854a4ad06b6b935764

[sandhya223]

Thank you for the reply.

We have received blackduck security vulnerability for Apache Client 3.1 which is a transitive dependency of org.springframework.security.extensions1.0.9.RELEASE -> openws1.5.6 -> opensaml 2.6.6

We are trying to exclude Apache Client 3.1(commons-httpclient) version and upgrading to 4.5.13 (org.apache.httpcomponents) version in build.gradle

We are getting below exception java.lang.NoClassDefFoundError: org/apache/commons/httpclient/protocol/ProtocolSocketFactory

Could you please help me to replace httpclient(HttpClient) bean which is importing from import org.apache.commons.httpclient.HttpClient in SpringSecuritySamlGrailsPlugin to org.apache.httpcomponents 4.5.13

[sandhya223]

Hi valentingoebel,

We are blocked with above issue, Could you please share your thoughts which will help us to move forward.

[sandhya223]

Hi valentingoebel,

Could you please look in to it.

[sandhya223]

Hi valentingoebel,

Could you please share your suggestions.