[refactor] Migrate integration tests to Apache HttpClient 5.x (hybrid HC4/HC5)

[duncdrum]

Summary

Migrates eXist-owned HTTP client usage from Apache HttpClient 4.x to HttpClient 5.6.1, using a deliberate hybrid model: HC5 for integration tests and extension code we control; HC4 retained only where third-party APIs require it.

HC5 defaults to RFC 6265 cookies, which aligns with Jetty 12 Set-Cookie behaviour and removes HC4 CookieSpecs.STANDARD workarounds in migrated tests (jetty/jetty.project#12771).

HC5 Phases 1–4 are complete. WebDAV Gate A is cleared (milton-client removed). Phase 5 (remove HC4 from the parent BOM) is deferred pending expath Gate B only.

Closes #5771

Note: Jetty 12.1 test and runtime fixes are tracked separately in PR #6392 and are out of scope for this description.

---

What changed

BOM (exist-parent/pom.xml)

• Added HC5 managed dependencies: httpclient5 / httpclient5-fluent 5.6.1, httpcore5 5.4
• Kept HC4 entries (httpclient, httpcore, httpmime, fluent-hc) for hybrid coexistence until Phase 5
• Removed unused milton-api / milton-client / milton-servlet from dependencyManagement
• Removed milton.version from exist-installer IzPack props
• Removed dependabot milton-webdav update group

Migrated to HC5 (org.apache.hc.*)

• Shared test infrastructure: AbstractHttpTest, AuthenticatedHttpClientTest, LoginModuleIT, JmxRemoteTest
• exist-core HTTP ITs: request/*, security, xmlrpc, urlrewrite, session, xmldb auth, RestBinariesTest, and related consumers
• Extensions: file/RestBinariesTest, restxq (4 IT classes), debuggee/HttpSession
• EXPath (partial): SendRequestFunction HttpStatus only

Test infrastructure cleanup

• exist-core test-jar publishes AbstractHttpTest for extension ITs
• Auth: preemptive Authorization request interceptor only (removed redundant BasicCredentialsProvider and fluent auth helpers)
• Response lifecycle: executeForStatus, executeForStatusAndBody, assertRequestResponse; exist-core HC5 ITs close ClassicHttpResponse
• POM analyze: explicit expath HC4 httpcore where needed; removed redundant direct httpclient5 from file/restxq after test-jar dedupe

WebDAV (Gate A cleared)

• Removed 8 milton-client JUnit tests, AlwaysBasicPreAuth, and milton cache stubs
• Added WebDavRoundTripTest and WebDavHttpTest (JDK HttpClient) for eXist-specific XML/binary round-trips
• Removed milton-client, milton-api, httpclient, httpcore from exist-webdav POM
• RFC compliance remains in Docker litmus (exist-docker/.../04-webdav-litmus.bats)

Standalone Jetty webapp template

• exist-jetty-config standalone web.xml registers Jackrabbit ExistWebdavServlet (replaces stale Milton servlet entry; aligns with [feature] Replace Milton WebDAV with Apache Jackrabbit (Level 2 + dead properties + litmus compliance) #6364 on develop)

Still on HC4 (Phase 5 Gate B)

• extensions/expath EXistTreeBuilder imports org.apache.http.Header via http-client-java 1.4.2

Auth behaviour (HC5 quirk)

HC5 fluent Executor.authPreemptive() does not reliably attach Basic credentials to /exist/... URLs. AbstractHttpTest.createAuthenticatedClient() sets preemptive Authorization via a request interceptor, shared through the exist-core test-jar (restxq and file modules).

Documentation

• BUILD.md documents GitHub Packages auth for github, github-xqts-runner, and github-jackrabbit-webdav-jakarta, plus cached-401 troubleshooting

---

What this PR does not do

• Does not remove HC4 from the parent BOM (Phase 5; blocked on expath Gate B)
• Does not upgrade http-client-java or Saxon
• Does not re-enable the debuggee module in the reactor (code migrated; module still commented out)
• Does not include Jetty 12.1 fixes (see PR jetty fixes II #6392)

---

Phase 5 follow-up

Gate A (webdav): done in this PR.

Gate B (expath):

1. PR Upgrade Saxon-HE from 9.9 to 12.5; eliminate exist-saxon-regex fork #6212 — Saxon-HE 9.9 to 12.5 (prerequisite for Bump org.expath.http.client:http-client-java from 1.4.2 to 1.5.2 #5346)
2. PR Bump org.expath.http.client:http-client-java from 1.4.2 to 1.5.2 #5346 — http-client-java 1.4.x to 1.5.2
3. Future PR — drop HC4 BOM entries from exist-parent

---

Test plan

• CI unit tests (ubuntu + windows)
• CI integration tests (ubuntu + windows)
• CI javadoc and dependency analyze
• AuthenticatedHttpClientTest
• LoginModuleIT
• RestBinariesTest (exist-core and exist-file)
• restxq integration tests
• WebDavRoundTripTest (exist-webdav)
• WebDAV litmus (Docker CI bats)

---

References

• Apache HttpClient 5.6.1: https://central.sonatype.com/artifact/org.apache.httpcomponents.client5/httpclient5
• Jetty #12771: Jetty 12 Cookie format incompatible by default with Apache HTTP Client 4.5.14 jetty/jetty.project#12771
• PR [feature] Replace Milton WebDAV with Apache Jackrabbit (Level 2 + dead properties + litmus compliance) #6364 Jackrabbit WebDAV (on develop): [feature] Replace Milton WebDAV with Apache Jackrabbit (Level 2 + dead properties + litmus compliance) #6364
• PR Upgrade Saxon-HE from 9.9 to 12.5; eliminate exist-saxon-regex fork #6212 Saxon 12: Upgrade Saxon-HE from 9.9 to 12.5; eliminate exist-saxon-regex fork #6212
• PR Bump org.expath.http.client:http-client-java from 1.4.2 to 1.5.2 #5346 http-client-java 1.5.2: Bump org.expath.http.client:http-client-java from 1.4.2 to 1.5.2 #5346

[dizzzz]

PR -though draft- seems to be a mixup of multiple PRs.

That said, I tend to ditch the apache http client where possible and simplify the codebase by using the the native HttpClient , available since Java9. What about you @reinhapa ?

[duncdrum]

@dizzzz yes the jetty upgrade fixes come first and are separate.
The scope for hc client upgrades are in the OP. I cannot ditch hc4 without touching on webdav, and expath cum saxson. So to have the tests actually do something, this is hybrid first.

We could merge it, but my plan is to keep rebasing, and cleanup the workarounds along the way.

[line-o]

Please rebase @duncdrum

[line-o]

@duncdrum this PR should not close #5771

[line-o]

@duncdrum the code does no longer compile