From dev-return-32477-archive-asf-public=cust-asf.ponee.io@geode.apache.org Fri Nov 15 18:17:43 2019 Return-Path: X-Original-To: archive-asf-public@cust-asf.ponee.io Delivered-To: archive-asf-public@cust-asf.ponee.io Received: from mail.apache.org (hermes.apache.org [207.244.88.153]) by mx-eu-01.ponee.io (Postfix) with SMTP id CD361180658 for ; Fri, 15 Nov 2019 19:17:42 +0100 (CET) Received: (qmail 2193 invoked by uid 500); 15 Nov 2019 18:17:42 -0000 Mailing-List: contact dev-help@geode.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: dev@geode.apache.org Delivered-To: mailing list dev@geode.apache.org Received: (qmail 2180 invoked by uid 99); 15 Nov 2019 18:17:41 -0000 Received: from pnap-us-west-generic-nat.apache.org (HELO spamd1-us-west.apache.org) (209.188.14.142) by apache.org (qpsmtpd/0.29) with ESMTP; Fri, 15 Nov 2019 18:17:41 +0000 Received: from localhost (localhost [127.0.0.1]) by spamd1-us-west.apache.org (ASF Mail Server at spamd1-us-west.apache.org) with ESMTP id 32DEAC014F for ; Fri, 15 Nov 2019 18:17:41 +0000 (UTC) X-Virus-Scanned: Debian amavisd-new at spamd1-us-west.apache.org X-Spam-Flag: NO X-Spam-Score: -0.499 X-Spam-Level: X-Spam-Status: No, score=-0.499 tagged_above=-999 required=6.31 tests=[HTML_MESSAGE=0.2, RCVD_IN_DNSWL_LOW=-0.7, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=disabled Received: from mx1-ec2-va.apache.org ([10.40.0.8]) by localhost (spamd1-us-west.apache.org [10.40.0.7]) (amavisd-new, port 10024) with ESMTP id GEzngV-N9G7J for ; Fri, 15 Nov 2019 18:17:39 +0000 (UTC) Received-SPF: Pass (mailfrom) identity=mailfrom; client-ip=148.163.153.148; helo=mx0b-00296801.pphosted.com; envelope-from=jblum@pivotal.io; receiver= Received: from mx0b-00296801.pphosted.com (mx0b-00296801.pphosted.com [148.163.153.148]) by mx1-ec2-va.apache.org (ASF Mail Server at mx1-ec2-va.apache.org) with ESMTPS id F265CBC509 for ; Fri, 15 Nov 2019 18:17:38 +0000 (UTC) Received: from pps.filterd (m0114586.ppops.net [127.0.0.1]) by mx0b-00296801.pphosted.com (8.16.0.42/8.16.0.42) with SMTP id xAFI7s8O011773 for ; Fri, 15 Nov 2019 18:17:38 GMT Received: from mail-lj1-f199.google.com (mail-lj1-f199.google.com [209.85.208.199]) by mx0b-00296801.pphosted.com with ESMTP id 2w8x4v1jty-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128 verify=NOT) for ; Fri, 15 Nov 2019 18:17:37 +0000 Received: by mail-lj1-f199.google.com with SMTP id e17so1754316ljj.12 for ; Fri, 15 Nov 2019 10:17:37 -0800 (PST) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to; bh=yfavZ9bJUtw/VnkObxyR5JNGOSnxvn2XzyTw17Foqyk=; b=dcm5x8JBCM6GALXJkqvt1f9tAeivS+vE+sFHUiCHAf9VfJ4FAypJPuKFc3WCiz+eEl S63DjnFzH2eKHr24SI33ACWKRLVhZ1x4hCFFXw52+6X3wYe2XT/fgdfiarmBeFkHRIyP GB1CBFdy/h849onhGvIUAjYOWkS/crNnznGttEWz/I2ztQYoKebPORXjHYshFfV2ttIa 3CRisBk/2J5TY3PfP4329LE2NShsvrwUbevOwkEeyvaoUW65IaLv2WPnATvW3HO7AESL h/eIas0glHJxI8JsyEplEjXn7R03WpLvCLN6hZuqP4y9i+9YyL6g0sNNr2mmCQxB+wUE wEzg== X-Gm-Message-State: APjAAAUsm2P39WRadl7/KZ+mH7nuSVu42C5jzEdz6zbNQ/btOz+OhOzo XQQWqY0JXM1ByBj4+upl2pVE2o+nNDYR5YV64n9oanpP29jbLcY4P3jZ873+6uZl4teO+xELfMe JVuQP6ahfxG1PZ7kjq29gwcWhn3p1lKngMU+MKvJlpYKIJIuc7qQiXPA= X-Received: by 2002:a19:520b:: with SMTP id m11mr11941859lfb.77.1573841855259; Fri, 15 Nov 2019 10:17:35 -0800 (PST) X-Google-Smtp-Source: APXvYqzQlI+Zs2nC9cjE85pCEwLXahNjTPhzs6SOzikqO2FzcG/R7zMfrDXMrnnRdgrh88AXuyLohtaQBqULXPW+ZzM= X-Received: by 2002:a19:520b:: with SMTP id m11mr11941853lfb.77.1573841854959; Fri, 15 Nov 2019 10:17:34 -0800 (PST) MIME-Version: 1.0 References: In-Reply-To: From: John Blum Date: Fri, 15 Nov 2019 10:17:23 -0800 Message-ID: Subject: Re: Proposal to modify Servlet spec support for the HTTP Session Management Module for AppServers To: geode Content-Type: multipart/alternative; boundary="000000000000b2aee20597669cf4" X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:6.0.95,18.0.572 definitions=2019-11-15_05:2019-11-15,2019-11-15 signatures=0 X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 mlxlogscore=999 phishscore=0 impostorscore=0 priorityscore=1501 spamscore=0 bulkscore=0 mlxscore=0 lowpriorityscore=0 malwarescore=0 suspectscore=0 adultscore=0 clxscore=1011 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-1910280000 definitions=main-1911150162 --000000000000b2aee20597669cf4 Content-Type: text/plain; charset="UTF-8" Since the Servlet 3.1 spec is available and the current version is 4.0, why not consider 3.1 or even 4.0, actually? -j On Fri, Nov 15, 2019 at 8:59 AM Jens Deppe wrote: > Hello Charles; thanks very much for bringing this up. > > I vote +1 on this proposal. > > Just to add a bit more details for others: > > The 3.0 Servlet Spec was finalized at the end of 2009. The *earliest* > versions of various containers that supported it are: > > - Jetty 8 (EOL'd since 11/2014) [1] > - Tomcat 7 (Version 6 EOL'd 2017) [2] > - JBoss Web 3.0.0 (version 2.x reached End of Maintenance 11/2017) [3] > - Websphere 8.0 (End of support 4/2018) [4] > - Weblogic 12cR1 (Extended Support until 12/2019) [5] > > The implication is that, of these products, there are *no* currently > supported versions that *do not* support the Servlet 3.0 spec. I believe it > is quite safe for us to indicate that the Session Modules are now only > supported on 3.0 compliant containers. > > --Jens > > [1] - > https://www.eclipse.org/jetty/documentation/current/what-jetty-version.html > [2] - http://tomcat.apache.org/whichversion.html > [3] - https://access.redhat.com/support/policy/updates/jboss_notes > [4] - https://en.wikipedia.org/wiki/IBM_WebSphere_Application_Server > [5] - > > https://www.solstice.com/fwd/survival-guide-to-webspheres-and-weblogics-end-of-life > > On Fri, Nov 15, 2019 at 8:11 AM Charles Smith wrote: > > > Hello, > > > > The Geode HTTP Session Management Module for AppServers currently states: > > This approach is a generic solution, which is supported by any container > > that implements the Servlet 2.4 specification. > > I would like to suggest that this official support be bumped up to the > > Servlet 3.0 specification. > > > > There are some important cookie security features missing in the ancient > > Servlet 2.4 spec, namely the secure and httpOnly flags. Bumping support > to > > Servlet 3.0 would allow the Geode AppServer session module to inherently > > support these session cookie security features. > > > > I have logged the following Jira issue: > > > > https://issues.apache.org/jira/browse/GEODE-7438 > > > > and submitted a pull request that provides the necessary support if the > > Geode community agrees this is a good idea. > > > > And thank you for the excellent Apache Geode project! > > > > -- > > > > Charles Smith > > > > Developer/Analyst > > > > Web Architecture and Development > > MacEwan University > > smithc14@macewan.ca > > > > > -- -John john.blum10101 (skype) --000000000000b2aee20597669cf4--