geode-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Jens Deppe <jensde...@apache.org>
Subject Re: Proposal to modify Servlet spec support for the HTTP Session Management Module for AppServers
Date Wed, 20 Nov 2019 17:17:55 GMT
Since there appears to be consensus, I'm going to give this thread another
24 hours and will then consider this proposal accepted.

If anyone does have concerns please do raise them now.

Thanks
--Jens

On Sat, Nov 16, 2019 at 8:17 AM Joris Melchior <jmelchior@pivotal.io> wrote:

> +1 for bumping to 3.1
>
> On Fri, Nov 15, 2019 at 10:27 PM Jacob Barrett <jbarrett@pivotal.io>
> wrote:
>
> > +1 for 3.1
> >
> > > On Nov 15, 2019, at 3:08 PM, Jens Deppe <jdeppe@pivotal.io> wrote:
> > >
> > > +1 to bumping the documented support to 3.1.
> > >
> > > The prompting for this proposal is due to this PR which specifically
> > wants
> > > to utilize a *3.0* API: https://github.com/apache/geode/pull/4311
> > >
> > > Thus implementing this change will not preclude being able to use the
> > > Session Module in a 3.0 container (even if we document support as being
> > > against 3.1)
> > >
> > > --Jens
> > >
> > >> On Fri, Nov 15, 2019 at 2:57 PM John Blum <jblum@pivotal.io> wrote:
> > >>
> > >> I would minimally bump it to 3.1 then.  Not only does Servlet 3.1 open
> > up
> > >> more doors (e.g. NIO), but is also implemented by all current Servlet
> > >> Container providers (Tomcat, Jetty, etc).  Additionally, given all the
> > >> Servlet Containers Jens mentioned at the version that started
> supporting
> > >> Servlet 3.0 are no longer supported, then 3.1 seems like a
> > good/reasonable
> > >> target.
> > >>
> > >> -j
> > >>
> > >>> On Fri, Nov 15, 2019 at 12:49 PM Dan Smith <dsmith@pivotal.io>
> wrote:
> > >>>
> > >>> +1 to bumping to servlet 3.0.
> > >>>
> > >>> -Dan
> > >>>
> > >>> On Fri, Nov 15, 2019 at 12:16 PM Charles Smith <SmithC14@macewan.ca>
> > >>> wrote:
> > >>>
> > >>>> Seems to me as long as newer Servlet specs do not deprecate
> > >>>> functionality/api that the session module requires AND that the
> > session
> > >>>> module is not missing any important functionality provided by newer
> > >>> Servlet
> > >>>> specs that it's best to base support the oldest Servlet spec that
is
> > >>> still
> > >>>> supported by active container versions. As Jens nicely enumerated,
> > this
> > >>>> seems to be Servlet 3.0 right now.
> > >>>>
> > >>>> At least that's the approach that would give the session management
> > >>>> modules the widest audience. I am currently writing a Servlet 4.0
> web
> > >> app
> > >>>> and the Geode session module is working great except that I need
to
> > >> layer
> > >>>> on an additional filter to ensure my session cookies are secure.
> > >>>>
> > >>>>
> > >>>> --
> > >>>>
> > >>>> Charles Smith
> > >>>>
> > >>>> Developer/Analyst
> > >>>>
> > >>>> Web Architecture and Development
> > >>>> MacEwan University
> > >>>> smithc14@macewan.ca
> > >>>>
> > >>>>
> > >>>> ________________________________
> > >>>> From: John Blum <jblum@pivotal.io>
> > >>>> Sent: Friday, November 15, 2019 11:17 AM
> > >>>> To: geode <dev@geode.apache.org>
> > >>>> Subject: Re: Proposal to modify Servlet spec support for the HTTP
> > >> Session
> > >>>> Management Module for AppServers
> > >>>>
> > >>>> Since the Servlet 3.1 spec is available and the current version
is
> > 4.0,
> > >>> why
> > >>>> not consider 3.1 or even 4.0, actually?
> > >>>>
> > >>>> -j
> > >>>>
> > >>>> On Fri, Nov 15, 2019 at 8:59 AM Jens Deppe <jdeppe@pivotal.io>
> wrote:
> > >>>>
> > >>>>> Hello Charles; thanks very much for bringing this up.
> > >>>>>
> > >>>>> I vote +1 on this proposal.
> > >>>>>
> > >>>>> Just to add a bit more details for others:
> > >>>>>
> > >>>>> The 3.0 Servlet Spec was finalized at the end of 2009. The
> *earliest*
> > >>>>> versions of various containers that supported it are:
> > >>>>>
> > >>>>>   - Jetty 8 (EOL'd since 11/2014) [1]
> > >>>>>   - Tomcat 7 (Version 6 EOL'd 2017) [2]
> > >>>>>   - JBoss Web 3.0.0 (version 2.x reached End of Maintenance
> 11/2017)
> > >>> [3]
> > >>>>>   - Websphere 8.0 (End of support 4/2018) [4]
> > >>>>>   - Weblogic 12cR1 (Extended Support until 12/2019) [5]
> > >>>>>
> > >>>>> The implication is that, of these products, there are *no*
> currently
> > >>>>> supported versions that *do not* support the Servlet 3.0 spec.
I
> > >>> believe
> > >>>> it
> > >>>>> is quite safe for us to indicate that the Session Modules are
now
> > >> only
> > >>>>> supported on 3.0 compliant containers.
> > >>>>>
> > >>>>> --Jens
> > >>>>>
> > >>>>> [1] -
> > >>>>>
> > >>>>
> > >>>
> > >>
> >
> https://www.eclipse.org/jetty/documentation/current/what-jetty-version.html
> > >>>>> [2] - http://tomcat.apache.org/whichversion.html
> > >>>>> [3] - https://access.redhat.com/support/policy/updates/jboss_notes
> > >>>>> [4] -
> https://en.wikipedia.org/wiki/IBM_WebSphere_Application_Server
> > >>>>> [5] -
> > >>>>>
> > >>>>>
> > >>>>
> > >>>
> > >>
> >
> https://www.solstice.com/fwd/survival-guide-to-webspheres-and-weblogics-end-of-life
> > >>>>>
> > >>>>> On Fri, Nov 15, 2019 at 8:11 AM Charles Smith <SmithC14@macewan.ca
> >
> > >>>> wrote:
> > >>>>>
> > >>>>>> Hello,
> > >>>>>>
> > >>>>>> The Geode HTTP Session Management Module for AppServers
currently
> > >>>> states:
> > >>>>>> This approach is a generic solution, which is supported
by any
> > >>>> container
> > >>>>>> that implements the Servlet 2.4 specification.
> > >>>>>> I would like to suggest that this official support be bumped
up to
> > >>> the
> > >>>>>> Servlet 3.0 specification.
> > >>>>>>
> > >>>>>> There are some important cookie security features missing
in the
> > >>>> ancient
> > >>>>>> Servlet 2.4 spec, namely the secure and httpOnly flags.
Bumping
> > >>> support
> > >>>>> to
> > >>>>>> Servlet 3.0 would allow the Geode AppServer session module
to
> > >>>> inherently
> > >>>>>> support these session cookie security features.
> > >>>>>>
> > >>>>>> I have logged the following Jira issue:
> > >>>>>>
> > >>>>>> https://issues.apache.org/jira/browse/GEODE-7438
> > >>>>>>
> > >>>>>> and submitted a pull request that provides the necessary
support
> if
> > >>> the
> > >>>>>> Geode community agrees this is a good idea.
> > >>>>>>
> > >>>>>> And thank you for the excellent Apache Geode project!
> > >>>>>>
> > >>>>>> --
> > >>>>>>
> > >>>>>> Charles Smith
> > >>>>>>
> > >>>>>> Developer/Analyst
> > >>>>>>
> > >>>>>> Web Architecture and Development
> > >>>>>> MacEwan University
> > >>>>>> smithc14@macewan.ca
> > >>>>>>
> > >>>>>>
> > >>>>>
> > >>>>
> > >>>>
> > >>>> --
> > >>>> -John
> > >>>> john.blum10101 (skype)
> > >>>>
> > >>>
> > >>
> > >>
> > >> --
> > >> -John
> > >> john.blum10101 (skype)
> > >>
> >
>
>
> --
> *Joris Melchior *
> CF Engineering
> Pivotal Toronto
> 416 877 5427
>
> “Programs must be written for people to read, and only incidentally for
> machines to execute.” – *Hal Abelson*
> <https://en.wikipedia.org/wiki/Hal_Abelson>
>

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message