[apache5-client] Fail fast when SecurityManager lacks TCP_KEEPIDLE/TCP_KEEPINTERVAL/TCP_KEEPCOUNT permissions.

[joviegas]

Motivation and Context

• Apache HC5 5.6 defaults SocketConfig.Builder to tcpKeepIdle=5, tcpKeepInterval=5, tcpKeepCount=3 with httpcomponents-core#550 (Enable five-second TCP keep-alive by default apache/httpcomponents-core#550)
• This requires jdk.net.NetworkPermission for setOption.TCP_KEEPIDLE, setOption.TCP_KEEPINTERVAL, and setOption.TCP_KEEPCOUNT. When a SecurityManager is active without these permissions granted, customers get an AccessControlException at request time with no indication of which permissions are missing.
• This change throws an IllegalStateException at client construction time listing the exact permissions required, so customers know what to fix before sending any requests.

Modifications

• Added checkTcpKeepAlivePermissions() in Apache5HttpClient.DefaultBuilder.buildWithDefaults() that checks the three required jkdk.net.NetworkPermission entries when a SecurityManager is active.
• Throws IllegalStateException listing the missing permissions at client construction time instead of AccessControlException at first request.
• Uses ClassLoaderHelper.loadClass() to reflectively load jdk.net.NetworkPermission since the class is in an optional JDK module.

Testing

• Added Junit tests

Screenshots (if appropriate)

Types of changes

• Bug fix (non-breaking change which fixes an issue)
• New feature (non-breaking change which adds functionality)

License

• I confirm that this pull request can be released under the Apache 2 license

[joviegas]

Note that NetworkPermission is marked for forRemoval in Java 25 thus loading it from ClassLoaderHelper to prevent ClassNotFoundException for future Java versions.
https://docs.oracle.com/en/java/javase/26/docs/api/jdk.net/jdk/net/NetworkPermission.html

[dagnir]

Not a blocker, but can we add a test that uses a security manager with expected permissions enabled + makes an API call so we can catch any instances where more permissions have to be granted, for example in a new Apache 5.x minor version.

[joviegas]

Not a blocker, but can we add a test that uses a security manager with expected permissions enabled + makes an API call so we can catch any instances where more permissions have to be granted, for example in a new Apache 5.x minor version.

Good call out.
Added SdkHttpClientSecurityManagerTestSuite which does SecurityManager test for both Apache4 and Apache5. The only difference in the permission between these two clients are for TCP_KEEPIDLE/TCP_KEEPINTERVAL/TCP_KEEPCOUNT .