geode-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Jacob Barrett <jbarr...@pivotal.io>
Subject Re: Proposal to modify Servlet spec support for the HTTP Session Management Module for AppServers
Date Sat, 16 Nov 2019 03:27:04 GMT
+1 for 3.1

> On Nov 15, 2019, at 3:08 PM, Jens Deppe <jdeppe@pivotal.io> wrote:
> 
> +1 to bumping the documented support to 3.1.
> 
> The prompting for this proposal is due to this PR which specifically wants
> to utilize a *3.0* API: https://github.com/apache/geode/pull/4311
> 
> Thus implementing this change will not preclude being able to use the
> Session Module in a 3.0 container (even if we document support as being
> against 3.1)
> 
> --Jens
> 
>> On Fri, Nov 15, 2019 at 2:57 PM John Blum <jblum@pivotal.io> wrote:
>> 
>> I would minimally bump it to 3.1 then.  Not only does Servlet 3.1 open up
>> more doors (e.g. NIO), but is also implemented by all current Servlet
>> Container providers (Tomcat, Jetty, etc).  Additionally, given all the
>> Servlet Containers Jens mentioned at the version that started supporting
>> Servlet 3.0 are no longer supported, then 3.1 seems like a good/reasonable
>> target.
>> 
>> -j
>> 
>>> On Fri, Nov 15, 2019 at 12:49 PM Dan Smith <dsmith@pivotal.io> wrote:
>>> 
>>> +1 to bumping to servlet 3.0.
>>> 
>>> -Dan
>>> 
>>> On Fri, Nov 15, 2019 at 12:16 PM Charles Smith <SmithC14@macewan.ca>
>>> wrote:
>>> 
>>>> Seems to me as long as newer Servlet specs do not deprecate
>>>> functionality/api that the session module requires AND that the session
>>>> module is not missing any important functionality provided by newer
>>> Servlet
>>>> specs that it's best to base support the oldest Servlet spec that is
>>> still
>>>> supported by active container versions. As Jens nicely enumerated, this
>>>> seems to be Servlet 3.0 right now.
>>>> 
>>>> At least that's the approach that would give the session management
>>>> modules the widest audience. I am currently writing a Servlet 4.0 web
>> app
>>>> and the Geode session module is working great except that I need to
>> layer
>>>> on an additional filter to ensure my session cookies are secure.
>>>> 
>>>> 
>>>> --
>>>> 
>>>> Charles Smith
>>>> 
>>>> Developer/Analyst
>>>> 
>>>> Web Architecture and Development
>>>> MacEwan University
>>>> smithc14@macewan.ca
>>>> 
>>>> 
>>>> ________________________________
>>>> From: John Blum <jblum@pivotal.io>
>>>> Sent: Friday, November 15, 2019 11:17 AM
>>>> To: geode <dev@geode.apache.org>
>>>> Subject: Re: Proposal to modify Servlet spec support for the HTTP
>> Session
>>>> Management Module for AppServers
>>>> 
>>>> Since the Servlet 3.1 spec is available and the current version is 4.0,
>>> why
>>>> not consider 3.1 or even 4.0, actually?
>>>> 
>>>> -j
>>>> 
>>>> On Fri, Nov 15, 2019 at 8:59 AM Jens Deppe <jdeppe@pivotal.io> wrote:
>>>> 
>>>>> Hello Charles; thanks very much for bringing this up.
>>>>> 
>>>>> I vote +1 on this proposal.
>>>>> 
>>>>> Just to add a bit more details for others:
>>>>> 
>>>>> The 3.0 Servlet Spec was finalized at the end of 2009. The *earliest*
>>>>> versions of various containers that supported it are:
>>>>> 
>>>>>   - Jetty 8 (EOL'd since 11/2014) [1]
>>>>>   - Tomcat 7 (Version 6 EOL'd 2017) [2]
>>>>>   - JBoss Web 3.0.0 (version 2.x reached End of Maintenance 11/2017)
>>> [3]
>>>>>   - Websphere 8.0 (End of support 4/2018) [4]
>>>>>   - Weblogic 12cR1 (Extended Support until 12/2019) [5]
>>>>> 
>>>>> The implication is that, of these products, there are *no* currently
>>>>> supported versions that *do not* support the Servlet 3.0 spec. I
>>> believe
>>>> it
>>>>> is quite safe for us to indicate that the Session Modules are now
>> only
>>>>> supported on 3.0 compliant containers.
>>>>> 
>>>>> --Jens
>>>>> 
>>>>> [1] -
>>>>> 
>>>> 
>>> 
>> https://www.eclipse.org/jetty/documentation/current/what-jetty-version.html
>>>>> [2] - http://tomcat.apache.org/whichversion.html
>>>>> [3] - https://access.redhat.com/support/policy/updates/jboss_notes
>>>>> [4] - https://en.wikipedia.org/wiki/IBM_WebSphere_Application_Server
>>>>> [5] -
>>>>> 
>>>>> 
>>>> 
>>> 
>> https://www.solstice.com/fwd/survival-guide-to-webspheres-and-weblogics-end-of-life
>>>>> 
>>>>> On Fri, Nov 15, 2019 at 8:11 AM Charles Smith <SmithC14@macewan.ca>
>>>> wrote:
>>>>> 
>>>>>> Hello,
>>>>>> 
>>>>>> The Geode HTTP Session Management Module for AppServers currently
>>>> states:
>>>>>> This approach is a generic solution, which is supported by any
>>>> container
>>>>>> that implements the Servlet 2.4 specification.
>>>>>> I would like to suggest that this official support be bumped up to
>>> the
>>>>>> Servlet 3.0 specification.
>>>>>> 
>>>>>> There are some important cookie security features missing in the
>>>> ancient
>>>>>> Servlet 2.4 spec, namely the secure and httpOnly flags. Bumping
>>> support
>>>>> to
>>>>>> Servlet 3.0 would allow the Geode AppServer session module to
>>>> inherently
>>>>>> support these session cookie security features.
>>>>>> 
>>>>>> I have logged the following Jira issue:
>>>>>> 
>>>>>> https://issues.apache.org/jira/browse/GEODE-7438
>>>>>> 
>>>>>> and submitted a pull request that provides the necessary support
if
>>> the
>>>>>> Geode community agrees this is a good idea.
>>>>>> 
>>>>>> And thank you for the excellent Apache Geode project!
>>>>>> 
>>>>>> --
>>>>>> 
>>>>>> Charles Smith
>>>>>> 
>>>>>> Developer/Analyst
>>>>>> 
>>>>>> Web Architecture and Development
>>>>>> MacEwan University
>>>>>> smithc14@macewan.ca
>>>>>> 
>>>>>> 
>>>>> 
>>>> 
>>>> 
>>>> --
>>>> -John
>>>> john.blum10101 (skype)
>>>> 
>>> 
>> 
>> 
>> --
>> -John
>> john.blum10101 (skype)
>> 

Mime
View raw message