From dev-return-32484-archive-asf-public=cust-asf.ponee.io@geode.apache.org Sat Nov 16 03:27:17 2019 Return-Path: X-Original-To: archive-asf-public@cust-asf.ponee.io Delivered-To: archive-asf-public@cust-asf.ponee.io Received: from mail.apache.org (hermes.apache.org [207.244.88.153]) by mx-eu-01.ponee.io (Postfix) with SMTP id EE950180658 for ; Sat, 16 Nov 2019 04:27:16 +0100 (CET) Received: (qmail 17920 invoked by uid 500); 16 Nov 2019 03:27:15 -0000 Mailing-List: contact dev-help@geode.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: dev@geode.apache.org Delivered-To: mailing list dev@geode.apache.org Received: (qmail 17907 invoked by uid 99); 16 Nov 2019 03:27:13 -0000 Received: from pnap-us-west-generic-nat.apache.org (HELO spamd4-us-west.apache.org) (209.188.14.142) by apache.org (qpsmtpd/0.29) with ESMTP; Sat, 16 Nov 2019 03:27:13 +0000 Received: from localhost (localhost [127.0.0.1]) by spamd4-us-west.apache.org (ASF Mail Server at spamd4-us-west.apache.org) with ESMTP id 5C7B4C056B for ; Sat, 16 Nov 2019 03:27:13 +0000 (UTC) X-Virus-Scanned: Debian amavisd-new at spamd4-us-west.apache.org X-Spam-Flag: NO X-Spam-Score: -0.699 X-Spam-Level: X-Spam-Status: No, score=-0.699 tagged_above=-999 required=6.31 tests=[RCVD_IN_DNSWL_LOW=-0.7, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=disabled Received: from mx1-he-de.apache.org ([10.40.0.8]) by localhost (spamd4-us-west.apache.org [10.40.0.11]) (amavisd-new, port 10024) with ESMTP id nihT9oiK1Gj5 for ; Sat, 16 Nov 2019 03:27:10 +0000 (UTC) Received-SPF: Pass (mailfrom) identity=mailfrom; client-ip=148.163.153.148; helo=mx0b-00296801.pphosted.com; envelope-from=jbarrett@pivotal.io; receiver= Received: from mx0b-00296801.pphosted.com (mx0b-00296801.pphosted.com [148.163.153.148]) by mx1-he-de.apache.org (ASF Mail Server at mx1-he-de.apache.org) with ESMTPS id 3B04C7DC1E for ; Sat, 16 Nov 2019 03:27:09 +0000 (UTC) Received: from pps.filterd (m0114584.ppops.net [127.0.0.1]) by mx0b-00296801.pphosted.com (8.16.0.42/8.16.0.42) with SMTP id xAG3G3Oe008033 for ; Sat, 16 Nov 2019 03:27:08 GMT Received: from mail-pl1-f200.google.com (mail-pl1-f200.google.com [209.85.214.200]) by mx0b-00296801.pphosted.com with ESMTP id 2wa8vk807b-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128 verify=NOT) for ; Sat, 16 Nov 2019 03:27:08 +0000 Received: by mail-pl1-f200.google.com with SMTP id v2so7580426plp.14 for ; Fri, 15 Nov 2019 19:27:08 -0800 (PST) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:content-transfer-encoding:from:mime-version :subject:date:message-id:references:in-reply-to:to; bh=65IzQ9BgV/wESmQB+5jmfppzZvumUkzkg2PogufToxI=; b=sPV6DxIHBSFYbvmLqRZ4pyWTNbI/WxoXwi0y2e2EzwNtc9/vu40w/ctUEcDQPfo0Sg PGnCqMj/WwR2qCRMqUK6lRnfwytvMBFnxnFfsYPwcODZu0mkzPRxbGk17YxvwMIELinQ +SLkeRDy0woT7xfpYSOOX/gT9WviGv8DnVkBAHDxx4JA+5RIXPsT01bBgXcbDsWyXkhN 2VlJ5fo9Mtn0UB9cp1VxkpBpCN6f+6aDmh9Zw51snuobtmdN+Ifu/aYEGpIW18f5V4nB z8AJ0IFR+XvqoY0cAtQ5Fo4tKxbst1WS23YdBd1Cd3V4YJvxjej6rknRatQKpSB5sUa5 8P6Q== X-Gm-Message-State: APjAAAUBr0prkbcL0g1POwvYJaD1VuHRpFRvoaOodGKyFpz5bIiijZN4 gInS7cAbb74/wbwkHxkFYQBYD15xssohVqJTAEKnWoh0zQNaerDnSZPVLTmlaK4oQ2EOaVDfzOH al615osv9mR1B/aZI8+LwNWhi4dJvj1mGqTibXOM= X-Received: by 2002:a17:90a:7784:: with SMTP id v4mr24623359pjk.74.1573874826910; Fri, 15 Nov 2019 19:27:06 -0800 (PST) X-Google-Smtp-Source: APXvYqwcEYbbjhQS6xuOINRPDZMX6j+8Rsa+tbI34DZzVWGRLGSa4Ce4AArNfXJsP7w2Qime6lV16g== X-Received: by 2002:a17:90a:7784:: with SMTP id v4mr24623320pjk.74.1573874826307; Fri, 15 Nov 2019 19:27:06 -0800 (PST) Received: from ?IPv6:2600:2100:7:8000:f5fe:1298:1291:56ce? ([2600:2100:7:8000:f5fe:1298:1291:56ce]) by smtp.gmail.com with ESMTPSA id f24sm10256561pjp.12.2019.11.15.19.27.04 for (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Fri, 15 Nov 2019 19:27:05 -0800 (PST) Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable From: Jacob Barrett Mime-Version: 1.0 (1.0) Subject: Re: Proposal to modify Servlet spec support for the HTTP Session Management Module for AppServers Date: Fri, 15 Nov 2019 19:27:04 -0800 Message-Id: <55A8927F-C0DB-4DCC-AF7D-5C01A409D7C7@pivotal.io> References: In-Reply-To: To: dev@geode.apache.org X-Mailer: iPhone Mail (17B84) X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:6.0.95,18.0.572 definitions=2019-11-15_08:2019-11-15,2019-11-15 signatures=0 X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 malwarescore=0 spamscore=0 priorityscore=1501 impostorscore=0 phishscore=0 mlxlogscore=999 lowpriorityscore=0 clxscore=1015 mlxscore=0 suspectscore=0 adultscore=0 bulkscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-1910280000 definitions=main-1911160026 +1 for 3.1 > On Nov 15, 2019, at 3:08 PM, Jens Deppe wrote: >=20 > =EF=BB=BF+1 to bumping the documented support to 3.1. >=20 > The prompting for this proposal is due to this PR which specifically wants= > to utilize a *3.0* API: https://github.com/apache/geode/pull/4311 >=20 > Thus implementing this change will not preclude being able to use the > Session Module in a 3.0 container (even if we document support as being > against 3.1) >=20 > --Jens >=20 >> On Fri, Nov 15, 2019 at 2:57 PM John Blum wrote: >>=20 >> I would minimally bump it to 3.1 then. Not only does Servlet 3.1 open up= >> more doors (e.g. NIO), but is also implemented by all current Servlet >> Container providers (Tomcat, Jetty, etc). Additionally, given all the >> Servlet Containers Jens mentioned at the version that started supporting >> Servlet 3.0 are no longer supported, then 3.1 seems like a good/reasonabl= e >> target. >>=20 >> -j >>=20 >>> On Fri, Nov 15, 2019 at 12:49 PM Dan Smith wrote: >>>=20 >>> +1 to bumping to servlet 3.0. >>>=20 >>> -Dan >>>=20 >>> On Fri, Nov 15, 2019 at 12:16 PM Charles Smith >>> wrote: >>>=20 >>>> Seems to me as long as newer Servlet specs do not deprecate >>>> functionality/api that the session module requires AND that the session= >>>> module is not missing any important functionality provided by newer >>> Servlet >>>> specs that it's best to base support the oldest Servlet spec that is >>> still >>>> supported by active container versions. As Jens nicely enumerated, this= >>>> seems to be Servlet 3.0 right now. >>>>=20 >>>> At least that's the approach that would give the session management >>>> modules the widest audience. I am currently writing a Servlet 4.0 web >> app >>>> and the Geode session module is working great except that I need to >> layer >>>> on an additional filter to ensure my session cookies are secure. >>>>=20 >>>>=20 >>>> -- >>>>=20 >>>> Charles Smith >>>>=20 >>>> Developer/Analyst >>>>=20 >>>> Web Architecture and Development >>>> MacEwan University >>>> smithc14@macewan.ca >>>>=20 >>>>=20 >>>> ________________________________ >>>> From: John Blum >>>> Sent: Friday, November 15, 2019 11:17 AM >>>> To: geode >>>> Subject: Re: Proposal to modify Servlet spec support for the HTTP >> Session >>>> Management Module for AppServers >>>>=20 >>>> Since the Servlet 3.1 spec is available and the current version is 4.0,= >>> why >>>> not consider 3.1 or even 4.0, actually? >>>>=20 >>>> -j >>>>=20 >>>> On Fri, Nov 15, 2019 at 8:59 AM Jens Deppe wrote: >>>>=20 >>>>> Hello Charles; thanks very much for bringing this up. >>>>>=20 >>>>> I vote +1 on this proposal. >>>>>=20 >>>>> Just to add a bit more details for others: >>>>>=20 >>>>> The 3.0 Servlet Spec was finalized at the end of 2009. The *earliest* >>>>> versions of various containers that supported it are: >>>>>=20 >>>>> - Jetty 8 (EOL'd since 11/2014) [1] >>>>> - Tomcat 7 (Version 6 EOL'd 2017) [2] >>>>> - JBoss Web 3.0.0 (version 2.x reached End of Maintenance 11/2017) >>> [3] >>>>> - Websphere 8.0 (End of support 4/2018) [4] >>>>> - Weblogic 12cR1 (Extended Support until 12/2019) [5] >>>>>=20 >>>>> The implication is that, of these products, there are *no* currently >>>>> supported versions that *do not* support the Servlet 3.0 spec. I >>> believe >>>> it >>>>> is quite safe for us to indicate that the Session Modules are now >> only >>>>> supported on 3.0 compliant containers. >>>>>=20 >>>>> --Jens >>>>>=20 >>>>> [1] - >>>>>=20 >>>>=20 >>>=20 >> https://www.eclipse.org/jetty/documentation/current/what-jetty-version.ht= ml >>>>> [2] - http://tomcat.apache.org/whichversion.html >>>>> [3] - https://access.redhat.com/support/policy/updates/jboss_notes >>>>> [4] - https://en.wikipedia.org/wiki/IBM_WebSphere_Application_Server >>>>> [5] - >>>>>=20 >>>>>=20 >>>>=20 >>>=20 >> https://www.solstice.com/fwd/survival-guide-to-webspheres-and-weblogics-e= nd-of-life >>>>>=20 >>>>> On Fri, Nov 15, 2019 at 8:11 AM Charles Smith >>>> wrote: >>>>>=20 >>>>>> Hello, >>>>>>=20 >>>>>> The Geode HTTP Session Management Module for AppServers currently >>>> states: >>>>>> This approach is a generic solution, which is supported by any >>>> container >>>>>> that implements the Servlet 2.4 specification. >>>>>> I would like to suggest that this official support be bumped up to >>> the >>>>>> Servlet 3.0 specification. >>>>>>=20 >>>>>> There are some important cookie security features missing in the >>>> ancient >>>>>> Servlet 2.4 spec, namely the secure and httpOnly flags. Bumping >>> support >>>>> to >>>>>> Servlet 3.0 would allow the Geode AppServer session module to >>>> inherently >>>>>> support these session cookie security features. >>>>>>=20 >>>>>> I have logged the following Jira issue: >>>>>>=20 >>>>>> https://issues.apache.org/jira/browse/GEODE-7438 >>>>>>=20 >>>>>> and submitted a pull request that provides the necessary support if >>> the >>>>>> Geode community agrees this is a good idea. >>>>>>=20 >>>>>> And thank you for the excellent Apache Geode project! >>>>>>=20 >>>>>> -- >>>>>>=20 >>>>>> Charles Smith >>>>>>=20 >>>>>> Developer/Analyst >>>>>>=20 >>>>>> Web Architecture and Development >>>>>> MacEwan University >>>>>> smithc14@macewan.ca >>>>>>=20 >>>>>>=20 >>>>>=20 >>>>=20 >>>>=20 >>>> -- >>>> -John >>>> john.blum10101 (skype) >>>>=20 >>>=20 >>=20 >>=20 >> -- >> -John >> john.blum10101 (skype) >>=20