Skip to main content
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [List Home]
[rest-dev] Deprecating the ClientBuilder.hostnameVerifier
Hello All,
Has it ever been considered to deprecate the ClientBuilder.hostnameVerifier [1]? I ask because the JDK HttpClient does not support setting it [2] requiring the usage of an external HTTP client for REST client implementations.

The JDK HttpClient does allow this to be disabled, but it's a global setting which doesn't work well for the ClientBuilder. It could also be overridden with some custom HostnameVerifier, however that seems it could lead to security risks.

My assumption is this override was added for testing or internal use cases. It seems like something that could be worked around in different ways or a safer manner.

Anyway, I just thought I would bring this up to get some opinions or clarification on why it was added.

[1]: https://jakarta.ee/specifications/restful-ws/3.1/apidocs/jakarta.ws.rs/jakarta/ws/rs/client/clientbuilder#hostnameVerifier(javax.net.ssl.HostnameVerifier)
[2]: https://bugs.openjdk.org/browse/JDK-8213309
--
James R. Perkins
JBoss by Red Hat

Back to the top