-
Notifications
You must be signed in to change notification settings - Fork 38.3k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Deprecate remoting technologies support #25379
Comments
@bclozel Instead of splitting those out into yet another artifact, let's rather deprecate the entire RMI and HTTP Invoker support in 5.3 and remove those bits in 6.0 altogether. Such a style of remoting is old school and not recommendable for many reasons these days. Also, the Oracle JDK team intends to deprecate serialization in some form; we can easily anticipate that here. |
I would even go as far as deprecating the Hessian support as well (a similar style with similar drawbacks even if it is not Java serialization based), leaving Also, JMS Invoker should be deprecated and removed along with HTTP invoker since it was meant as a direct equivalent, leaving |
Alright let's do that; we'll deprecate everything under:
So just leaving Now depending on how security tools are implemented, they might be relying on artifact names + versions only, not a particular class on classpath. If this is the case, deprecating and removing this support might not solve the problem in the long term, unless vendors update their detection heuristics as a result. Given how brittle the current systems seems to be (critical warnings to users for a duplicate CVE from a disbanded CNA), I'm not really optimistic right now. Users will have to reach out to their providers to make this right if the warning isn't gone by Spring Framework 6.0. |
@jhoeller Thanks for weighing in on this. I really like the idea of deprecating them now and removing them in 6.0. |
@bclozel All we'll keep in place for the time being is the remoting infrastructure for the JAX-WS and the EJB access support then. Those might fade away themselves along with some major EE support changes in 6.0 but that's a somewhat different topic. The |
Is there any option offered by the Spring team to still have support for RMI when upgrading from Spring 5 to Spring 6? Our company uses Spring RMI (via HttpInvoker) for internal/intranet services and right now we're stuck to Spring 5 and can't upgrade to Spring 6 because of Spring RMI removal. |
I upgraded to Spring Boot 3.2.0 today and found this package is completely gone! Some pointers to how to do this in "new school" would be much appreciated. |
Well, kinda sad how they managed situation :D Just drop those libs after 5 short comments and it's gone lol. |
@elfoxus I disagree this was reported back in 2020 and the spring team released this as a major update to Spring Framework 6.x. I feel they did the right thing here and there was plenty of lead time for this. I imagine they did this because there are better alternatives than using Spring RMI and Java Serialization. With that being said it doesn't matter if you are in a situation where your app needs this and you are in the middle of a Spring 6.x upgrade. You could take the Spring RMI code from Spring 5.x and port it to Spring 6.x. I don't think this would be a lot of work to make that happen it just doesn't seem like it's something Spring wants to support anymore. |
@mbazos What in your view are better alternatives? I agree that RMI and java serialization are terrible options, but spring remoting did more than this. The current rsocket spring 6 remoting support is nowhere near as clean or seamless to use right now and could imo seriously benefit from the now gone remoting framework. |
@jeacott1 FWIW using jackson json + http is a better experience in general than RMI with Java Serialization...though that's not a 1:1 with exceptions/error you could communicate that via the JSON response message. If you need something more RMI like and are not a fan of rsocket then gRPC is pretty great in the Java ecosystem. I haven't personally used rsocket but have had great success with gRPC + Java. Here is some more information: |
@mbazos as I said - I'm not using RMI and I don't want to. Rsocket is great, but its nowhere near as transparent to use as the serviceExporters were - it now takes a ton of custom rsocket controller boilerplate to expose any services in spring. |
@jeacott1 you don't like my suggestions that's fine. It's time to move on. |
The original issue here was closed #24434 and I think this needs to be brought back up again.
@bclozel made a few valid points:
The issue was closed but I think this issue should be opened and accounted for at least for the next major release of the spring framework which @bclozel had mentioned as a viable option. Before closing this ticket out it would be nice if there was a set plan on how to handle this in future major releases of spring-framework.
I did fork the spring-framework repo and split the rmi code into a new module `spring-rmi' and this isn't a difficult thing to do and making this part of a major release would be nice as when people upgrade to 6.x they can accommodate for this code no longer being in spring-web.
https://github.com/mbazos/spring-framework/tree/feature/split-remoting-to-new-module
The text was updated successfully, but these errors were encountered: