Skip to content

Bump the maven-patch-group group across 1 directory with 2 updates#3976

Draft
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/maven/maven-patch-group-9a2b8e880a
Draft

Bump the maven-patch-group group across 1 directory with 2 updates#3976
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/maven/maven-patch-group-9a2b8e880a

Conversation

@dependabot

@dependabot dependabot Bot commented on behalf of github Jun 8, 2026

Copy link
Copy Markdown
Contributor

Bumps the maven-patch-group group with 2 updates in the / directory: org.eclipse.jetty:jetty-bom and org.eclipse.jetty.ee11:jetty-ee11-bom.

Updates org.eclipse.jetty:jetty-bom from 12.1.9 to 12.1.10

Release notes

Sourced from org.eclipse.jetty:jetty-bom's releases.

12.1.10

Changelog

  • #15180 - Upgrade to Quiche version 0.29.1
  • #15161 - Reduce memory footprint for persistent HttpConnections
  • #15136 - Refresh Digest authentication implementation
  • #15118 - Upgrade to Quiche version 0.29.0
  • #15094 - Jetty 12.1 Regression: Deferred Authentication provides Callback.NOT_CALLED leading to errors
  • #15074 - HTTP/2 extended connect responses contain Content-Length: 0
  • #15031 - IOResources#toRetainableByteBuffer data loss when using resources without path
  • #15021 - Resource handling regression in 12.1.9
  • #15011 - PathResource.resolve() fails on Microsoft Windows due to Illegal char <:>
  • #15009 - Make processing of RST_STREAM more lenient
  • #14984 - XmlConfiguration emits "Deprecated method ... setMaxThreads" WARN from shipped jetty-threadpool-virtual.xml
  • #14745 - NPE in HttpChannelState.completeStream() when _request is null during multipart cleanup
  • #14528 - BinaryStreamTest.testMoreThanLargestMessageOneByteAtATime() is flaky
  • #14522 - Bundle org.eclipse.jetty.websocket.server OSGI metadata exports internal instead of public package
  • #14006 - How to handle "Warning Logs in org.eclipse.jetty.ee8.nested.HttpChannelState and org.eclipse.jetty.server.internal.HttpChannelState"
  • #9799 - Declare EncodingException for HPACK/QPACK encoders and decoders
Commits
  • 9860245 Updating to version 12.1.10
  • 6d62879 IteratingCallback concurrent abort() may not notify abort event. (#15185)
  • 962f73f Fixes #15009 - Make processing of RST_STREAM more lenient. (#15087)
  • 6324c65 #15180 upgrade quiche to version 0.29.1
  • d0bb829 Fixes #15136 - Refresh Digest authentication implementation.
  • ac73ac1 Issue #14522 Bundle org.eclipse.jetty.websocket.server OSGI metadata should e...
  • 206c2e6 Merge pull request #15179 from jetty/fix/jetty-12.1.x/14745-MultiPartCleanup
  • 8d86494 Merge pull request #15163 from jetty/fix/jetty-12.1.x/15161-HttpConnectionOpt...
  • 437e617 Merge pull request #15178 from jetty/fix/jetty-12.1.x/14006-ReadPendingWarnings
  • 577d932 Issue #14745 - fix race for double call of HttpChannelState.completeStream (1...
  • Additional commits viewable in compare view

Updates org.eclipse.jetty.ee11:jetty-ee11-bom from 12.1.9 to 12.1.10

Release notes

Sourced from org.eclipse.jetty.ee11:jetty-ee11-bom's releases.

12.1.10

Changelog

  • #15180 - Upgrade to Quiche version 0.29.1
  • #15161 - Reduce memory footprint for persistent HttpConnections
  • #15136 - Refresh Digest authentication implementation
  • #15118 - Upgrade to Quiche version 0.29.0
  • #15094 - Jetty 12.1 Regression: Deferred Authentication provides Callback.NOT_CALLED leading to errors
  • #15074 - HTTP/2 extended connect responses contain Content-Length: 0
  • #15031 - IOResources#toRetainableByteBuffer data loss when using resources without path
  • #15021 - Resource handling regression in 12.1.9
  • #15011 - PathResource.resolve() fails on Microsoft Windows due to Illegal char <:>
  • #15009 - Make processing of RST_STREAM more lenient
  • #14984 - XmlConfiguration emits "Deprecated method ... setMaxThreads" WARN from shipped jetty-threadpool-virtual.xml
  • #14745 - NPE in HttpChannelState.completeStream() when _request is null during multipart cleanup
  • #14528 - BinaryStreamTest.testMoreThanLargestMessageOneByteAtATime() is flaky
  • #14522 - Bundle org.eclipse.jetty.websocket.server OSGI metadata exports internal instead of public package
  • #14006 - How to handle "Warning Logs in org.eclipse.jetty.ee8.nested.HttpChannelState and org.eclipse.jetty.server.internal.HttpChannelState"
  • #9799 - Declare EncodingException for HPACK/QPACK encoders and decoders
Commits
  • 9860245 Updating to version 12.1.10
  • 6d62879 IteratingCallback concurrent abort() may not notify abort event. (#15185)
  • 962f73f Fixes #15009 - Make processing of RST_STREAM more lenient. (#15087)
  • 6324c65 #15180 upgrade quiche to version 0.29.1
  • d0bb829 Fixes #15136 - Refresh Digest authentication implementation.
  • ac73ac1 Issue #14522 Bundle org.eclipse.jetty.websocket.server OSGI metadata should e...
  • 206c2e6 Merge pull request #15179 from jetty/fix/jetty-12.1.x/14745-MultiPartCleanup
  • 8d86494 Merge pull request #15163 from jetty/fix/jetty-12.1.x/15161-HttpConnectionOpt...
  • 437e617 Merge pull request #15178 from jetty/fix/jetty-12.1.x/14006-ReadPendingWarnings
  • 577d932 Issue #14745 - fix race for double call of HttpChannelState.completeStream (1...
  • Additional commits viewable in compare view

Updates org.eclipse.jetty.ee11:jetty-ee11-bom from 12.1.9 to 12.1.10

Release notes

Sourced from org.eclipse.jetty.ee11:jetty-ee11-bom's releases.

12.1.10

Changelog

  • #15180 - Upgrade to Quiche version 0.29.1
  • #15161 - Reduce memory footprint for persistent HttpConnections
  • #15136 - Refresh Digest authentication implementation
  • #15118 - Upgrade to Quiche version 0.29.0
  • #15094 - Jetty 12.1 Regression: Deferred Authentication provides Callback.NOT_CALLED leading to errors
  • #15074 - HTTP/2 extended connect responses contain Content-Length: 0
  • #15031 - IOResources#toRetainableByteBuffer data loss when using resources without path
  • #15021 - Resource handling regression in 12.1.9
  • #15011 - PathResource.resolve() fails on Microsoft Windows due to Illegal char <:>
  • #15009 - Make processing of RST_STREAM more lenient
  • #14984 - XmlConfiguration emits "Deprecated method ... setMaxThreads" WARN from shipped jetty-threadpool-virtual.xml
  • #14745 - NPE in HttpChannelState.completeStream() when _request is null during multipart cleanup
  • #14528 - BinaryStreamTest.testMoreThanLargestMessageOneByteAtATime() is flaky
  • #14522 - Bundle org.eclipse.jetty.websocket.server OSGI metadata exports internal instead of public package
  • #14006 - How to handle "Warning Logs in org.eclipse.jetty.ee8.nested.HttpChannelState and org.eclipse.jetty.server.internal.HttpChannelState"
  • #9799 - Declare EncodingException for HPACK/QPACK encoders and decoders
Commits
  • 9860245 Updating to version 12.1.10
  • 6d62879 IteratingCallback concurrent abort() may not notify abort event. (#15185)
  • 962f73f Fixes #15009 - Make processing of RST_STREAM more lenient. (#15087)
  • 6324c65 #15180 upgrade quiche to version 0.29.1
  • d0bb829 Fixes #15136 - Refresh Digest authentication implementation.
  • ac73ac1 Issue #14522 Bundle org.eclipse.jetty.websocket.server OSGI metadata should e...
  • 206c2e6 Merge pull request #15179 from jetty/fix/jetty-12.1.x/14745-MultiPartCleanup
  • 8d86494 Merge pull request #15163 from jetty/fix/jetty-12.1.x/15161-HttpConnectionOpt...
  • 437e617 Merge pull request #15178 from jetty/fix/jetty-12.1.x/14006-ReadPendingWarnings
  • 577d932 Issue #14745 - fix race for double call of HttpChannelState.completeStream (1...
  • Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
  • @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
  • @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
  • @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
  • @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions

@dependabot
Bump the maven-patch-group group across 1 directory with 2 updates
91fe09a 
Bumps the maven-patch-group group with 2 updates in the / directory: [org.eclipse.jetty:jetty-bom](https://github.com/jetty/jetty.project) and [org.eclipse.jetty.ee11:jetty-ee11-bom](https://github.com/jetty/jetty.project).


Updates `org.eclipse.jetty:jetty-bom` from 12.1.9 to 12.1.10
- [Release notes](https://github.com/jetty/jetty.project/releases)
- [Commits](jetty/jetty.project@jetty-12.1.9...jetty-12.1.10)

Updates `org.eclipse.jetty.ee11:jetty-ee11-bom` from 12.1.9 to 12.1.10
- [Release notes](https://github.com/jetty/jetty.project/releases)
- [Commits](jetty/jetty.project@jetty-12.1.9...jetty-12.1.10)

Updates `org.eclipse.jetty.ee11:jetty-ee11-bom` from 12.1.9 to 12.1.10
- [Release notes](https://github.com/jetty/jetty.project/releases)
- [Commits](jetty/jetty.project@jetty-12.1.9...jetty-12.1.10)

---
updated-dependencies:
- dependency-name: org.eclipse.jetty:jetty-bom
  dependency-version: 12.1.10
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: maven-patch-group
- dependency-name: org.eclipse.jetty.ee11:jetty-ee11-bom
  dependency-version: 12.1.10
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: maven-patch-group
- dependency-name: org.eclipse.jetty.ee11:jetty-ee11-bom
  dependency-version: 12.1.10
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: maven-patch-group
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot Bot added dependencies Pull requests that update a dependency file java Pull requests that update Java code labels Jun 8, 2026
@afs afs marked this pull request as draft June 8, 2026 14:19
@afs

afs commented Jun 8, 2026

Copy link
Copy Markdown
Member

The Jetty upgrade breaks digest authentication, probably because Jena's implementation is following the original RFC.

@afs

afs commented Jun 8, 2026

Copy link
Copy Markdown
Member

Probably Jena's digest authentication has kept up with RFC's.

jetty/jetty.project#15136

@OyvindLGjesdal

OyvindLGjesdal commented Jun 8, 2026

Copy link
Copy Markdown
Contributor

I looked at this (with an LLM) and did some tests on what was minimal to pass the tests, and I think using the query, together with the path, while also setting the algorithm is enough to make the tests pass. Note that sometimes it seemed to intermittently fail also.

See main...OyvindLGjesdal:jena:dependabot/maven/maven-patch-group-52fd5e174b

Not very confident here with the code and me understanding the full context.

I ran

# local files in path, so skipping rat
mvn -DskipTests install -pl jena-integration-tests -am  -Drat.skip=true  
mvn test -pl jena-integration-tests -Dsurefire.rerunFailingTestsCount=5

The LLM also suggested changing the starting value for the nonce to 1 (as per the RFC) as well as adding a header, but those didn't fix or change the failing tests (commented them out, rebuilt and reran tests successfully).

I guess a proper long term fix would be to change the implementation to use a recommended algorithm?

@afs

afs commented Jun 8, 2026
edited
Loading

Copy link
Copy Markdown
Member

Yes, the nonce needs to start from >0.
And the request target code is wrong - as you found out. HttpLib.requestTargetServer even has a comment about query string ... which is ignored!

The code is using MD5 with no algorithm header which is now wrong.

The simple fix is to switch to hashing with SHA-256 (required, default).

But as changes are happening, the code could handle the "algorithm=" parameter and the possible multiple WWW-Authenticate headers which the code does not do.

I think Jetty only sends one WWW-Authenticate but in general, there are be several with algorithm negaotion.

Maybe a direct fix now and refinement later!

Issue #3977.

PS
Jetty does indeed send one WWW-Authenticate and it is for SHA-256.

https://github.com/afs/jena/tree/jetty-3976

afs added a commit to afs/jena that referenced this pull request Jun 9, 2026
@afs
apacheGH-3976: Switch to SHA-256 for digest authentication
d34a717
@afs afs mentioned this pull request Jun 9, 2026
Open
3 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

dependencies Pull requests that update a dependency file java Pull requests that update Java code

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@afs @OyvindLGjesdal