geode-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From John Blum <jb...@pivotal.io>
Subject Re: Proposal to modify Servlet spec support for the HTTP Session Management Module for AppServers
Date Fri, 15 Nov 2019 18:17:23 GMT
Since the Servlet 3.1 spec is available and the current version is 4.0, why
not consider 3.1 or even 4.0, actually?

-j

On Fri, Nov 15, 2019 at 8:59 AM Jens Deppe <jdeppe@pivotal.io> wrote:

> Hello Charles; thanks very much for bringing this up.
>
> I vote +1 on this proposal.
>
> Just to add a bit more details for others:
>
> The 3.0 Servlet Spec was finalized at the end of 2009. The *earliest*
> versions of various containers that supported it are:
>
>    - Jetty 8 (EOL'd since 11/2014) [1]
>    - Tomcat 7 (Version 6 EOL'd 2017) [2]
>    - JBoss Web 3.0.0 (version 2.x reached End of Maintenance 11/2017) [3]
>    - Websphere 8.0 (End of support 4/2018) [4]
>    - Weblogic 12cR1 (Extended Support until 12/2019) [5]
>
> The implication is that, of these products, there are *no* currently
> supported versions that *do not* support the Servlet 3.0 spec. I believe it
> is quite safe for us to indicate that the Session Modules are now only
> supported on 3.0 compliant containers.
>
> --Jens
>
> [1] -
> https://www.eclipse.org/jetty/documentation/current/what-jetty-version.html
> [2] - http://tomcat.apache.org/whichversion.html
> [3] - https://access.redhat.com/support/policy/updates/jboss_notes
> [4] - https://en.wikipedia.org/wiki/IBM_WebSphere_Application_Server
> [5] -
>
> https://www.solstice.com/fwd/survival-guide-to-webspheres-and-weblogics-end-of-life
>
> On Fri, Nov 15, 2019 at 8:11 AM Charles Smith <SmithC14@macewan.ca> wrote:
>
> > Hello,
> >
> > The Geode HTTP Session Management Module for AppServers currently states:
> > This approach is a generic solution, which is supported by any container
> > that implements the Servlet 2.4 specification.
> > I would like to suggest that this official support be bumped up to the
> > Servlet 3.0 specification.
> >
> > There are some important cookie security features missing in the ancient
> > Servlet 2.4 spec, namely the secure and httpOnly flags. Bumping support
> to
> > Servlet 3.0 would allow the Geode AppServer session module to inherently
> > support these session cookie security features.
> >
> > I have logged the following Jira issue:
> >
> > https://issues.apache.org/jira/browse/GEODE-7438
> >
> > and submitted a pull request that provides the necessary support if the
> > Geode community agrees this is a good idea.
> >
> > And thank you for the excellent Apache Geode project!
> >
> > --
> >
> > Charles Smith
> >
> > Developer/Analyst
> >
> > Web Architecture and Development
> > MacEwan University
> > smithc14@macewan.ca
> >
> >
>


-- 
-John
john.blum10101 (skype)

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message