Use modern-ish jetty#377
Conversation
|
Thanks for your pull request. It looks like this may be your first contribution to a Google open source project (if not, look below for help). Before we can look at your pull request, you'll need to sign a Contributor License Agreement (CLA). 📝 Please visit https://cla.developers.google.com/ to sign. Once you've signed (or fixed any issues), please reply here with What to do if you already signed the CLAIndividual signers
Corporate signers
ℹ️ Googlers: Go here for more info. |
googlebot
added
the
cla: no
google-oauth-client-jetty/pom.xml
Outdated
| <groupId>com.google.oauth-client</groupId> | ||
| <artifactId>google-oauth-client-parent</artifactId> | ||
| <version>1.30.4-SNAPSHOT</version><!-- {x-version-update:google-oauth-client:current} --> | ||
| <version>1.30.3</version><!-- {x-version-update:google-oauth-client:current} --> |
There was a problem hiding this comment.
I don't think this should have changed
google-oauth-client-jetty/pom.xml
Outdated
| <artifactId>jetty</artifactId> | ||
| <groupId>org.eclipse.jetty</groupId> | ||
| <artifactId>jetty-server</artifactId> | ||
| <version>8.2.0.v20160908</version> |
There was a problem hiding this comment.
maybe a dependencyManagement section somewhere needs to be updated?
There was a problem hiding this comment.
Found the upstream reference in the main pom.xml and fixed it there.
| Connector connector = server.getConnectors()[0]; | ||
| connector.setHost(host); | ||
| server.addHandler(new CallbackHandler()); | ||
| //Deprecated |
| @Override | ||
| public void handle( | ||
| String target, HttpServletRequest request, HttpServletResponse response, int dispatch) | ||
| String target, Request baseRequest, HttpServletRequest request, HttpServletResponse response) |
There was a problem hiding this comment.
This looks like a change in public API, which we are loath to do. Can the old method be retained and add this one, maybe one with a delegate to the other?
There was a problem hiding this comment.
I have no idea how to to that!
But, I figured after 4 years of there being a request to update a decade old highly vulnerable package ( [CVE-2011-4461][CVE-2017-7656][CVE-2017-7657][CVE-2017-7658][CVE-2017-9735][CVE-2019-10241][CVE-2019-10247] ) I might atleast post a PR to get some traction on the issue.
There was a problem hiding this comment.
Also:
This is public within class CallbackHandler which is not public. I am guessing that this is only exposed to the LocalServerReceiver class that it is nested within. Although my knowledge of java is garbage so I may be completely wrong.
There was a problem hiding this comment.
If the class is non-public, that's OK then.
There was a problem hiding this comment.
Looks like there is one style issue I am creating. I will try and fix it. Please re-run kokoro.
elharo
added
the
kokoro:force-run
kokoro-team
removed
the
kokoro:force-run
|
CLAs look good, thanks! ℹ️ Googlers: Go here for more info. |
googlebot
added
cla: yes
elharo
added
kokoro:force-run
kokoro-team
removed
the
kokoro:force-run
elharo
added
the
kokoro:force-run
kokoro-team
removed
the
kokoro:force-run
|
Yay everything passes! |
elharo
left a comment
elharo
left a comment
There was a problem hiding this comment.
Long term I wonder if we should be using Jetty at all. It might be overkill for what we need. For now, though, this seems like an improvement.
@chingor13 Any final comments here?
|
We don't have this version of jetty internally (we do have 9.4.x) so we won't be able to import this in. We should likely update to 9.4 before we attempt to import it internally. |
chingor13
left a comment
chingor13
left a comment
There was a problem hiding this comment.
I agree this is better than the alternative of leaving the old jetty.
|
I am still looking at migrating to 9.4.x but the 8 => 9 upgrade is pretty non-trivial. |
5 participants
Fixes #233
Works towards #130