[WIP]HIVE-29393: Upgrade Jetty 9.4.x to 10.0.24

common/src/java/org/apache/hive/http/HttpServer.java

@@ -661,7 +661,7 @@ ServerConnector createAndAddChannelConnector(int queueSize, Builder b) {
     if (!b.useSSL) {
       connector = new ServerConnector(webServer, http);
     } else {
-      SslContextFactory sslContextFactory = new SslContextFactory.Server();
+      SslContextFactory.Server sslContextFactory = new SslContextFactory.Server();
       sslContextFactory.setKeyStorePath(b.keyStorePath);
       sslContextFactory.setKeyStoreType(b.keyStoreType == null || b.keyStoreType.isEmpty() ?
           KeyStore.getDefaultType(): b.keyStoreType);

common/src/java/org/apache/hive/http/security/PamAuthenticator.java

@@ -24,7 +24,7 @@
 import org.eclipse.jetty.security.authentication.LoginAuthenticator;
 import org.eclipse.jetty.server.Authentication;
 import org.eclipse.jetty.server.UserIdentity;
-import org.eclipse.jetty.util.B64Code;
+import java.util.Base64;
 
 import javax.security.sasl.AuthenticationException;
 import javax.servlet.ServletRequest;
@@ -41,9 +41,9 @@
   This class authenticates HS2 web UI via PAM. To authenticate use
 
    * httpGet with header name "Authorization"
-   * and header value "Basic authB64Code"
+   * and header value "Basic authBase64Code"
 
-    where  authB64Code is Base64 string for "login:password"
+    where  authBase64Code is Base64 string for "login:password"
  */
 
 public class PamAuthenticator extends LoginAuthenticator {
@@ -79,7 +79,8 @@ public Authentication validateRequest(ServletRequest req, ServletResponse res, b
           String method = credentials.substring(0, space);
           if ("basic".equalsIgnoreCase(method)) {
             credentials = credentials.substring(space + 1);
-            credentials = B64Code.decode(credentials, StandardCharsets.ISO_8859_1);
+            byte[] decodedBytes = Base64.getDecoder().decode(credentials);
+            credentials = new String(decodedBytes, StandardCharsets.ISO_8859_1);
             int i = credentials.indexOf(':');
             if (i > 0) {
               String username = credentials.substring(0, i);

hcatalog/webhcat/svr/pom.xml

@@ -234,6 +234,10 @@
       <artifactId>junit-vintage-engine</artifactId>
       <scope>test</scope>
     </dependency>
+    <dependency>
+      <groupId>org.eclipse.jetty</groupId>
+      <artifactId>jetty-util</artifactId>
+    </dependency>
   </dependencies>
   <build>
     <resources>

hcatalog/webhcat/svr/src/main/java/org/apache/hive/hcatalog/templeton/Main.java

@@ -24,8 +24,9 @@
 import com.sun.jersey.spi.container.servlet.ServletContainer;
 
 import java.io.File;
-import java.io.FileInputStream;
 import java.io.IOException;
+import java.nio.file.Path;
+import java.nio.file.Paths;
 import java.util.ArrayList;
 import java.util.EnumSet;
 import java.util.HashMap;
@@ -35,6 +36,7 @@
 import org.apache.hadoop.security.authentication.server.AuthenticationFilter;
 import org.apache.hadoop.security.authentication.server.KerberosAuthenticationHandler;
 import org.apache.hadoop.hive.common.IPStackUtils;
+import org.eclipse.jetty.util.resource.PathResource;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 import org.apache.commons.lang3.StringUtils;
@@ -204,9 +206,11 @@ public Server runServer(int port)
     if (StringUtils.isEmpty(conf.jettyConfiguration())) {
       server = new Server(port);
     } else {
-        FileInputStream jettyConf = new FileInputStream(conf.jettyConfiguration());
-        XmlConfiguration configuration = new XmlConfiguration(jettyConf);
-        server = (Server)configuration.configure();
+      Path configPath = Paths.get(conf.jettyConfiguration());
+      PathResource jettyResource = new PathResource(configPath);
+
+      XmlConfiguration configuration = new XmlConfiguration(jettyResource);
+      server = (Server) configuration.configure();
     }
 
     ServletContextHandler root = new ServletContextHandler(server, "/");
@@ -289,7 +293,7 @@ private Connector createChannelConnector(Server server) {
 
     if (conf.getBoolean(AppConfig.USE_SSL, false)) {
       LOG.info("Using SSL for templeton.");
-      SslContextFactory sslContextFactory = new SslContextFactory.Server();
+      SslContextFactory.Server sslContextFactory = new SslContextFactory.Server();
       sslContextFactory.setKeyStorePath(conf.get(AppConfig.KEY_STORE_PATH, DEFAULT_KEY_STORE_PATH));
       sslContextFactory.setKeyStorePassword(conf.get(AppConfig.KEY_STORE_PASSWORD, DEFAULT_KEY_STORE_PASSWORD));
       Set<String> excludedSSLProtocols = Sets.newHashSet(Splitter.on(",").trimResults().omitEmptyStrings()

itests/hive-unit/src/test/java/org/apache/hive/jdbc/TestActivePassiveHA.java

@@ -59,14 +59,13 @@
 import org.apache.http.StatusLine;
 import org.apache.http.util.EntityUtils;
 import org.eclipse.jetty.http.HttpHeader;
-import org.eclipse.jetty.util.B64Code;
-import org.eclipse.jetty.util.StringUtil;
+import java.util.Base64;
 import org.junit.After;
 import org.junit.AfterClass;
 import org.junit.Before;
 import org.junit.BeforeClass;
 import org.junit.Test;
-
+import java.nio.charset.StandardCharsets;
 import com.fasterxml.jackson.databind.ObjectMapper;
 
 
@@ -812,9 +811,9 @@ private String sendAuthMethod(HttpRequestBase method, boolean enableAuth, boolea
   }
 
   private void setupAuthHeaders(final HttpRequestBase method) {
-    String authB64Code =
-        B64Code.encode(ADMIN_USER + ":" + ADMIN_PASSWORD, StringUtil.__ISO_8859_1);
-    method.setHeader(HttpHeader.AUTHORIZATION.asString(), "Basic " + authB64Code);
+    String credentials = ADMIN_USER + ":" + ADMIN_PASSWORD;
+    String authBase64Code = Base64.getEncoder().encodeToString(credentials.getBytes(StandardCharsets.ISO_8859_1));
+    method.setHeader(HttpHeader.AUTHORIZATION.asString(), "Basic " + authBase64Code);
   }
 
   private Map<String, String> getConfOverlay(final String instanceId) {

itests/qtest-druid/pom.xml

@@ -32,7 +32,7 @@
     <hive.path.to.root>../..</hive.path.to.root>
     <druid.curator.version>4.0.0</druid.curator.version>
     <druid.jersey.version>1.19.3</druid.jersey.version>
-    <druid.jetty.version>9.4.57.v20241219</druid.jetty.version>
+    <druid.jetty.version>10.0.24</druid.jetty.version>
     <druid.derby.version>10.11.1.1</druid.derby.version>
     <druid.guava.version>16.0.1</druid.guava.version>
     <druid.guice.version>4.1.0</druid.guice.version>

packaging/src/license/licenses.xml

@@ -301,8 +301,8 @@
     </dependency>
     <dependency>
       <groupId>org.eclipse.jetty.websocket</groupId>
-      <artifactId>websocket-api</artifactId>
-      <version>9.4.57.v20241219</version>
+      <artifactId>websocket-jetty-api</artifactId>
+      <version>10.0.24</version>
       <licenses>
         <license>
           <name>Apache Software License - Version 2.0</name>
@@ -313,8 +313,8 @@
     </dependency>
     <dependency>
       <groupId>org.eclipse.jetty.websocket</groupId>
-      <artifactId>websocket-client</artifactId>
-      <version>9.4.57.v20241219</version>
+      <artifactId>websocket-jetty-client</artifactId>
+      <version>10.0.24</version>
       <licenses>
         <license>
           <name>Apache Software License - Version 2.0</name>
@@ -337,8 +337,8 @@
     </dependency>
     <dependency>
       <groupId>org.eclipse.jetty.websocket</groupId>
-      <artifactId>websocket-server</artifactId>
-      <version>9.4.57.v20241219</version>
+      <artifactId>websocket-jetty-server</artifactId>
+      <version>10.0.24</version>
       <licenses>
         <license>
           <name>Apache Software License - Version 2.0</name>
@@ -507,7 +507,7 @@
     <dependency>
       <groupId>org.eclipse.jetty</groupId>
       <artifactId>jetty-server</artifactId>
-      <version>9.4.57.v20241219</version>
+      <version>10.0.24</version>
       <licenses>
         <license>
           <name>Apache Software License - Version 2.0</name>
@@ -531,7 +531,7 @@
     <dependency>
       <groupId>org.eclipse.jetty</groupId>
       <artifactId>jetty-util-ajax</artifactId>
-      <version>9.4.57.v20241219</version>
+      <version>10.0.24</version>
       <licenses>
         <license>
           <name>Apache Software License - Version 2.0</name>
@@ -543,7 +543,7 @@
     <dependency>
       <groupId>org.eclipse.jetty</groupId>
       <artifactId>jetty-util</artifactId>
-      <version>9.4.57.v20241219</version>
+      <version>10.0.24</version>
       <licenses>
         <license>
           <name>Apache Software License - Version 2.0</name>

pom.xml

@@ -160,7 +160,7 @@
     <javax-servlet.version>3.1.0</javax-servlet.version>
     <javolution.version>5.5.1</javolution.version>
     <jettison.version>1.5.4</jettison.version>
-    <jetty.version>9.4.57.v20241219</jetty.version>
+    <jetty.version>10.0.24</jetty.version>
     <jersey.version>1.19.4</jersey.version>
     <!-- HIVE-28992: only upgrade to newer than 3.25.0 if you tested the prompt -->
     <jline.version>3.25.0</jline.version>

service/src/java/org/apache/hive/service/cli/thrift/ThriftHttpCLIService.java

@@ -42,7 +42,6 @@
 import org.apache.hadoop.hive.shims.ShimLoader;
 import org.apache.hadoop.security.UserGroupInformation;
 import org.apache.hadoop.util.ExitUtil;
-import org.apache.hive.service.ServiceUtils;
 import org.apache.hive.service.auth.AuthType;
 import org.apache.hive.service.auth.HiveAuthFactory;
 import org.apache.hive.service.auth.saml.HiveSamlHttpServlet;
@@ -56,10 +55,8 @@
 import org.apache.thrift.protocol.TProtocolFactory;
 import org.apache.thrift.server.TServlet;
 import org.eclipse.jetty.io.Connection;
-import org.eclipse.jetty.io.EndPoint;
 import org.eclipse.jetty.security.ConstraintMapping;
 import org.eclipse.jetty.security.ConstraintSecurityHandler;
-import org.eclipse.jetty.server.Connector;
 import org.eclipse.jetty.server.HttpConfiguration;
 import org.eclipse.jetty.server.HttpConnectionFactory;
 import org.eclipse.jetty.server.Server;
@@ -126,22 +123,18 @@ public void setThreadFactory(ThreadFactory threadFactory) {
       conf.setResponseHeaderSize(responseHeaderSize);
       conf.setSendServerVersion(false);
       conf.setSendXPoweredBy(false);
-      final HttpConnectionFactory http = new HttpConnectionFactory(conf) {
-        public Connection newConnection(Connector connector, EndPoint endPoint) {
-          Connection connection = super.newConnection(connector, endPoint);
-          connection.addListener(new Connection.Listener() {
-            public void onOpened(Connection connection) {
-              openConnection();
-            }
-
-            public void onClosed(Connection connection) {
-              closeConnection();
-            }
-          });
-          return connection;
+      final HttpConnectionFactory http = new HttpConnectionFactory(conf);
+      http.addBean(new Connection.Listener() {
+        @Override
+        public void onOpened(Connection connection) {
+          openConnection();
         }
-      };
 
+        @Override
+        public void onClosed(Connection connection) {
+          closeConnection();
+        }
+      });
       boolean useSsl = hiveConf.getBoolVar(ConfVars.HIVE_SERVER2_USE_SSL);
       String schemeName = useSsl ? "https" : "http";
 
@@ -163,7 +156,7 @@ public void onClosed(Connection connection) {
         if (keyStoreAlgorithm.isEmpty()) {
           keyStoreAlgorithm = KeyManagerFactory.getDefaultAlgorithm();
         }
-        SslContextFactory sslContextFactory = new SslContextFactory.Server();
+        SslContextFactory.Server sslContextFactory = new SslContextFactory.Server();
         String[] excludedProtocols = hiveConf.getVar(ConfVars.HIVE_SSL_PROTOCOL_BLACKLIST).split(",");
         LOG.info("HTTP Server SSL: adding excluded protocols: " + Arrays.toString(excludedProtocols));
         sslContextFactory.addExcludeProtocols(excludedProtocols);

service/src/test/org/apache/hive/service/server/TestHS2HttpServerLDAP.java

@@ -35,10 +35,9 @@
 import org.apache.http.params.BasicHttpParams;
 import org.apache.http.params.HttpParams;
 import org.eclipse.jetty.http.HttpHeader;
-import org.eclipse.jetty.util.B64Code;
-import org.eclipse.jetty.util.StringUtil;
-
+import java.util.Base64;
 import java.nio.charset.StandardCharsets;
+
 import java.util.List;
 import java.util.Optional;
 import org.junit.AfterClass;
@@ -89,8 +88,9 @@ public void testValidCredentialsWithAuthorizationHeader() throws Exception {
       httpclient = builder.build();
 
       HttpGet httpGet = new HttpGet("http://" + HOST + ":" + webUIPort + "/jmx");
-      String authB64Code = B64Code.encode(VALID_USER + ":" + VALID_PASS, StringUtil.__ISO_8859_1);
-      httpGet.setHeader(HttpHeader.AUTHORIZATION.asString(), "Basic " + authB64Code);
+      String credentials = VALID_USER + ":" + VALID_PASS;
+      String authBase64Code = Base64.getEncoder().encodeToString(credentials.getBytes(StandardCharsets.ISO_8859_1));
+      httpGet.setHeader(HttpHeader.AUTHORIZATION.asString(), "Basic " + authBase64Code);
       httpclient.execute(httpGet);
 
       Assert.assertTrue(isAuthorized(httpCookieStore.getCookies()));
@@ -110,8 +110,9 @@ public void testInvalidCredentialsWithInAuthorizationHeader() throws Exception {
       httpclient = builder.build();
 
       HttpGet httpGet = new HttpGet("http://" + HOST + ":" + webUIPort + "/jmx");
-      String authB64Code = B64Code.encode(INVALID_USER + ":" + INVALID_PASS, StringUtil.__ISO_8859_1);
-      httpGet.setHeader(HttpHeader.AUTHORIZATION.asString(), "Basic " + authB64Code);
+      String credentials = INVALID_USER + ":" + INVALID_PASS;
+      String authBase64Code = Base64.getEncoder().encodeToString(credentials.getBytes(StandardCharsets.ISO_8859_1));
+      httpGet.setHeader(HttpHeader.AUTHORIZATION.asString(), "Basic " + authBase64Code);
       httpclient.execute(httpGet);
 
       Assert.assertFalse(isAuthorized(httpCookieStore.getCookies()));

service/src/test/org/apache/hive/service/server/TestHS2HttpServerPam.java

@@ -27,8 +27,9 @@
 import org.apache.http.impl.client.HttpClients;
 import org.eclipse.jetty.http.HttpHeader;
 import org.eclipse.jetty.server.UserIdentity;
-import org.eclipse.jetty.util.B64Code;
-import org.eclipse.jetty.util.StringUtil;
+
+import java.nio.charset.StandardCharsets;
+import java.util.Base64;
 import org.junit.AfterClass;
 import org.junit.Assert;
 import org.junit.BeforeClass;
@@ -90,8 +91,9 @@ public void testAuthorizedConnection() throws Exception {
       httpclient = HttpClients.createDefault();
 
       HttpGet httpGet = new HttpGet("http://" + host + ":" + webUIPort);
-      String authB64Code = B64Code.encode(username + ":" + password, StringUtil.__ISO_8859_1);
-      httpGet.setHeader(HttpHeader.AUTHORIZATION.asString(), "Basic " + authB64Code);
+      String credentials = username + ":" + password;
+      String authBase64Code = Base64.getEncoder().encodeToString(credentials.getBytes(StandardCharsets.ISO_8859_1));
+      httpGet.setHeader(HttpHeader.AUTHORIZATION.asString(), "Basic " + authBase64Code);
       CloseableHttpResponse response = httpclient.execute(httpGet);
       Assert.assertTrue(response.toString().contains(Integer.toString(HttpURLConnection.HTTP_OK)));
 
@@ -111,8 +113,9 @@ public void testIncorrectUser() throws Exception {
       httpclient = HttpClients.createDefault();
 
       HttpGet httpGet = new HttpGet("http://" + host + ":" + webUIPort);
-      String authB64Code = B64Code.encode(username + ":" + password, StringUtil.__ISO_8859_1);
-      httpGet.setHeader(HttpHeader.AUTHORIZATION.asString(), "Basic " + authB64Code);
+      String credentials = username + ":" + password;
+      String authBase64Code = Base64.getEncoder().encodeToString(credentials.getBytes(StandardCharsets.ISO_8859_1));
+      httpGet.setHeader(HttpHeader.AUTHORIZATION.asString(), "Basic " + authBase64Code);
       CloseableHttpResponse response = httpclient.execute(httpGet);
       Assert.assertTrue(response.toString().contains(Integer.toString(HttpURLConnection.HTTP_UNAUTHORIZED)));
 
@@ -132,8 +135,9 @@ public void testIncorrectPassword() throws Exception {
       httpclient = HttpClients.createDefault();
 
       HttpGet httpGet = new HttpGet("http://" + host + ":" + webUIPort);
-      String authB64Code = B64Code.encode(username + ":" + password, StringUtil.__ISO_8859_1);
-      httpGet.setHeader(HttpHeader.AUTHORIZATION.asString(), "Basic " + authB64Code);
+      String credentials = username + ":" + password;
+      String authBase64Code = Base64.getEncoder().encodeToString(credentials.getBytes(StandardCharsets.ISO_8859_1));
+      httpGet.setHeader(HttpHeader.AUTHORIZATION.asString(), "Basic " + authBase64Code);
       CloseableHttpResponse response = httpclient.execute(httpGet);
       Assert.assertTrue(response.toString().contains(Integer.toString(HttpURLConnection.HTTP_UNAUTHORIZED)));
 

standalone-metastore/metastore-server/src/main/java/org/apache/hadoop/hive/metastore/HiveMetaStore.java

@@ -68,12 +68,14 @@
 
 import org.eclipse.jetty.security.ConstraintMapping;
 import org.eclipse.jetty.security.ConstraintSecurityHandler;
+import org.eclipse.jetty.http.HttpVersion;
 import org.eclipse.jetty.server.HttpChannel;
 import org.eclipse.jetty.server.HttpConfiguration;
 import org.eclipse.jetty.server.HttpConnectionFactory;
 import org.eclipse.jetty.server.Request;
 import org.eclipse.jetty.server.Server;
 import org.eclipse.jetty.server.ServerConnector;
+import org.eclipse.jetty.server.SslConnectionFactory;
 import org.eclipse.jetty.servlet.ServletContextHandler;
 import org.eclipse.jetty.servlet.ServletHolder;
 import org.eclipse.jetty.util.security.Constraint;
@@ -380,9 +382,10 @@ public void setThreadFactory(ThreadFactory threadFactory) {
 
     final HttpConnectionFactory http = new HttpConnectionFactory(httpServerConf);
 
-    final SslContextFactory sslContextFactory = ServletSecurity.createSslContextFactory(conf);
+    final SslContextFactory.Server sslContextFactory = ServletSecurity.createSslContextFactory(conf);
     if (sslContextFactory != null) {
-      connector = new ServerConnector(server, sslContextFactory, http);
+      connector = new ServerConnector(server, new SslConnectionFactory(sslContextFactory,
+          HttpVersion.HTTP_1_1.asString()), http);
     } else {
       connector = new ServerConnector(server, http);
     }

standalone-metastore/metastore-server/src/main/java/org/apache/hadoop/hive/metastore/ServletSecurity.java

@@ -338,7 +338,7 @@ static void loginServerPrincipal(Configuration conf) throws IOException {
    * @return null if no ssl in config, an instance otherwise
    * @throws IOException if getting password fails
    */
-  static SslContextFactory createSslContextFactory(Configuration conf) throws IOException {
+  static SslContextFactory.Server createSslContextFactory(Configuration conf) throws IOException {
     final boolean useSsl = MetastoreConf.getBoolVar(conf, MetastoreConf.ConfVars.USE_SSL);
     if (!useSsl) {
       return null;
@@ -359,7 +359,7 @@ static SslContextFactory createSslContextFactory(Configuration conf) throws IOEx
     if (LOG.isInfoEnabled()) {
       LOG.info("HTTP Server SSL: adding excluded protocols: {}", Arrays.toString(excludedProtocols));
     }
-    SslContextFactory factory = new SslContextFactory.Server();
+    SslContextFactory.Server factory = new SslContextFactory.Server();
     factory.addExcludeProtocols(excludedProtocols);
     if (LOG.isInfoEnabled()) {
       LOG.info("HTTP Server SSL: SslContextFactory.getExcludeProtocols = {}",