See http://blog.jayway.com/2008/09/30/spring-remoting-with-security-and-ssl/ . By adding the CommonsHttpHttpRequestInvoker the core framework could be better supported.
Seems to be a duplicate of https://jira.springsource.org/browse/SEC-1040 - but I still think it would be very handy ootb.
Yes, this was already considered and rejected for the reasons described. It is a simple matter to roll your own as described in the blog and I don't want to introduce a dependency on a specific version of commons HttpClient in the project core.
This issue has been migrated to https://github.com/spring-projects/spring-security/issues/1877