Upgrade to Jetty 9

[elharo]

In particular use org.eclipse.jetty instead of org.mortbay.jetty

[chanseokoh]

@ejona86, are you comfortable upgrading to Jetty 9 in LocalServerReceiver?

[chanseokoh]

Seems like Jetty 9 requires Java 8. My guess is that we can't do this now; I saw Travis build tests for openjdk6 and 7.

[evantill]

what about using jetty 8 ? see my PR #155

[hakanai]

We'd like Jetty 9 too. It's just one class, how hard could it be? :)

[ghost]

@trejkaz I think that the problem is not about complexity but more about risk / side effect (on other projects. And Jetty 9 require Java 8 but Google-oaut-java-client is compatible with java 6

[hakanai]

What if the Jetty 9 support were done in a java8-only package, leaving alone the current one for people who are still keen on living in the past?

[eevirgen]

The current version of google-oauth-java-client is using org.mortbay.jetty.
It is okay, however org.mortbay.jetty is including and does support only Servlet 2.5 API.

It is highly possible someone to try to use Google Auth Libraries in an application using Servlet 3.0 API and its methods (like getHeader etc.) This will cause a conflict. Erkut Evirgen

[v4dkou]

Encountered this problem when trying to create a service with Spark Framework, which is built around Jetty 9, and as @eevirgen had said, there is a conflict between Servlet 2.* and 3.* APIs

It's not hard to ditch the google-oauth-java-client and just finish the authentication with own code, but I'd rather not.

[elharo]

Any chance of getting this in now?

[jeanbza]

Hi @elharo - we're undergoing a release right now as well as cleaning up the backend to make releases in the future easier and quicker. This repo is frozen until that process is done, unfortunately. We'll circle back to this issue and others once the release is done.

[cowwoc]

Hi. It's 2019 now and the dependency on this older version of Jetty is turning into a pain. Any update on this issue?

[jjYBdx4IL]

The server dependence of a client library should be factored out into a separate package. Or make it optional. This is definitely bloat. Also, it uses org.mortbay stuff instead of generic servlet APIs, which makes it even worse.

[Ancient123]

So... There is like a pile of CVE's related to old versions of Jetty at this point. Using a 9 year old version of Jetty with known vulnerabilities seems like a significant security risk... Maybe you guys should bump this up the priority list.

[CVE-2011-4461] Cryptographic Issues
[CVE-2017-7656] Improper Access Control
[CVE-2017-7657] Integer Overflow or Wraparound
[CVE-2017-7658] Data Handling
[CVE-2017-9735] Information Exposure
[CVE-2019-10241] Improper Neutralization of Input During Web Page Generation ("Cross-site Scripting")
[CVE-2019-10247] Information Exposure

[Ancient123]

We successfully upgraded from org.mortbay.jetty 6 to org.eclipse.jetty 8.2.0.v20160908
The v8 to v9 upgrade seems to be non-trivial though due to the way Connection objects changed.

But at least we have some progress.