axis-java-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "robert lazarski (JIRA)" <>
Subject [jira] [Commented] (AXIS2-5959) Axis2 has dependency on "Commons HttpClient project", which is now end of life, and is no longer being developed.
Date Tue, 18 Jun 2019 16:57:00 GMT


robert lazarski commented on AXIS2-5959:

We already support httpcommons4 , see the release notes from 1.7.0. 

Axis2 1.7.0 supports Apache HttpClient 4.x in addition to the no longer maintained Commons
HttpClient 3.x. To enable the support for HttpClient 4.x, use {{org.apache.axis2.transport.http.impl.httpclient4.HTTPClient4TransportSender}}
instead of {{org.apache.axis2.transport.http.CommonsHTTPTransportSender}} in {{axis2.xml}}.
Please note that the code was written for HttpClient 4.2.x and should work with 4.3.x and
4.4.x, but is incompatible with 4.5.x.
Those release notes are from 1.7.0 which was a few years ago, I am running httpclient-4.5.3.jar
just fine.
Here's my relevant axis2.xml, hope that helps.
    <transportSender name="https"
        <parameter name="PROTOCOL">HTTP/1.1</parameter>
        <parameter name="Transfer-Encoding">chunked</parameter>

It is confusing that we still ship with the old commons by default and distribute that jar.

[~veithen] is there any reason we could not remove all references to the old httpclient3 code
in SVN?



> Axis2 has dependency on "Commons HttpClient project", which is now end of life, and is
no longer being developed. 
> ------------------------------------------------------------------------------------------------------------------
>                 Key: AXIS2-5959
>                 URL:
>             Project: Axis2
>          Issue Type: Bug
>            Reporter: Aman Mishra
>            Priority: Critical
>         Attachments: pom.xml
> We are using axis2 version 1.7.8 ( *org.apache.axis2.osgi-1.7.8.jar* ) in our project,
we can see that in this project pom.xml under <Import-Package> section, dependency on
"Commons HttpClient project". This dependency is there in the form of *"org.apache.commons.httpclient.*,".* The
same thing we have seen in axis2 latest jar 1.7.9. 
> Now as we know this "Commons HttpClient project" is already ended of its life long back
and its no longer being developed. 
> So, please change this package dependency to Apache HttpComponents project in its HttpClient [org.apache.httpcomponents:httpclient].
> +*Note:*+ Right now we are supplying the dependency "*org.apache.commons.httpclient"* to
"*org.apache.axis2.osgi-1.7.8.jar"* by "".
Now in Nexus vulnerability report ""
is showing as vulnerable. So we want to remove this jar. But after removing this jar "*org.apache.axis2.osgi-1.7.8.jar"* osgi
bundle is not up due to unsatisfied dependency of package "*org.apache.commons.httpclient".* We
have tried to provide the dependency by using httpclient-4.5.9.jar but this has different
package hierarchy as it required in the form "*org.apache.commons.httpclient".* 
> So please change this dependency according to latest apache jar httpclient-4.5.9.jar.
> For Reference: Attaching pom.xml of Axis2 1.7.8 project.

This message was sent by Atlassian JIRA

To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message