druid icon indicating copy to clipboard operation
druid copied to clipboard
verified publisher icon apache

Update Pac4j v6 and Nimbus in Druid

Open bios6 opened this issue 1 year ago • 0 comments

Description

Update to Pac4j v6, Java 17 and Nimbus version on Druid.

Motivation

Currently there is a high CVE vulnerability on Nimbus that requires a update to Pac4j and an upgrade to Java as noticed on https://github.com/apache/druid/pull/16986 . On our end we have updated to use Java 17 and when trying to update our Pac4j version from v4 to v6, we noticed that our build breaks because of some classes that we are implementing on the druid side (such as https://github.com/apache/druid/blob/30.0.0/server/src/main/java/org/apache/druid/server/security/Authenticator.java#L29 ) which is using javax while the new pac4j versions require jakarta. Javax is no longer supported: https://mvnrepository.com/artifact/javax.servlet/javax.servlet-api . There are a couple other failures related to this which are breaking for us.

There was a attempt done looks like on the druid side which had to be reverted : https://github.com/apache/druid/pull/16986

bios6 avatar Oct 18 '24 18:10 bios6