geode-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Jens Deppe <jde...@pivotal.io>
Subject Re: Proposal to modify Servlet spec support for the HTTP Session Management Module for AppServers
Date Mon, 02 Dec 2019 15:17:04 GMT
For the purpose of moving this forward, I have merged PR #4311 [1]. From a
runtime POV this now requires a minimum 3.0 servlet compatible container.
Documented minimum, however, is at least 3.1.

I suggest that if anyone would like to see documented newer support that
that should be proposed separately.

Thanks
--Jens

[1] - https://github.com/apache/geode/pull/4311

On Wed, Nov 20, 2019 at 10:15 AM Jens Deppe <jdeppe@pivotal.io> wrote:

> To be clear, this proposal just wants to update the *minimum* *documented*
> requirement. The following PR would require that to be 3.0:
> https://github.com/apache/geode/pull/4311
>
> There is no additional change required other than documentation.
>
> --Jens
>
> On Wed, Nov 20, 2019 at 9:46 AM Udo Kohlmeyer <udo@apache.com> wrote:
>
>> I think that we should really be looking at going to 4.0.
>>
>> It would be compatible with 3.1, but given that 4.0 is standard with
>> Java 8 (which already EOL), we should try and get onto the latest.
>>
>> I don't think that us aligning ourselves with a tech release in 2013 is
>> something we should do.
>>
>> --Udo
>>
>> On 11/20/19 9:17 AM, Jens Deppe wrote:
>> > Since there appears to be consensus, I'm going to give this thread
>> another
>> > 24 hours and will then consider this proposal accepted.
>> >
>> > If anyone does have concerns please do raise them now.
>> >
>> > Thanks
>> > --Jens
>> >
>> > On Sat, Nov 16, 2019 at 8:17 AM Joris Melchior <jmelchior@pivotal.io>
>> wrote:
>> >
>> >> +1 for bumping to 3.1
>> >>
>> >> On Fri, Nov 15, 2019 at 10:27 PM Jacob Barrett <jbarrett@pivotal.io>
>> >> wrote:
>> >>
>> >>> +1 for 3.1
>> >>>
>> >>>> On Nov 15, 2019, at 3:08 PM, Jens Deppe <jdeppe@pivotal.io>
wrote:
>> >>>>
>> >>>> +1 to bumping the documented support to 3.1.
>> >>>>
>> >>>> The prompting for this proposal is due to this PR which specifically
>> >>> wants
>> >>>> to utilize a *3.0* API: https://github.com/apache/geode/pull/4311
>> >>>>
>> >>>> Thus implementing this change will not preclude being able to use
the
>> >>>> Session Module in a 3.0 container (even if we document support as
>> being
>> >>>> against 3.1)
>> >>>>
>> >>>> --Jens
>> >>>>
>> >>>>> On Fri, Nov 15, 2019 at 2:57 PM John Blum <jblum@pivotal.io>
wrote:
>> >>>>>
>> >>>>> I would minimally bump it to 3.1 then.  Not only does Servlet
3.1
>> open
>> >>> up
>> >>>>> more doors (e.g. NIO), but is also implemented by all current
>> Servlet
>> >>>>> Container providers (Tomcat, Jetty, etc).  Additionally, given
all
>> the
>> >>>>> Servlet Containers Jens mentioned at the version that started
>> >> supporting
>> >>>>> Servlet 3.0 are no longer supported, then 3.1 seems like a
>> >>> good/reasonable
>> >>>>> target.
>> >>>>>
>> >>>>> -j
>> >>>>>
>> >>>>>> On Fri, Nov 15, 2019 at 12:49 PM Dan Smith <dsmith@pivotal.io>
>> >> wrote:
>> >>>>>> +1 to bumping to servlet 3.0.
>> >>>>>>
>> >>>>>> -Dan
>> >>>>>>
>> >>>>>> On Fri, Nov 15, 2019 at 12:16 PM Charles Smith <
>> SmithC14@macewan.ca>
>> >>>>>> wrote:
>> >>>>>>
>> >>>>>>> Seems to me as long as newer Servlet specs do not deprecate
>> >>>>>>> functionality/api that the session module requires AND
that the
>> >>> session
>> >>>>>>> module is not missing any important functionality provided
by
>> newer
>> >>>>>> Servlet
>> >>>>>>> specs that it's best to base support the oldest Servlet
spec that
>> is
>> >>>>>> still
>> >>>>>>> supported by active container versions. As Jens nicely
enumerated,
>> >>> this
>> >>>>>>> seems to be Servlet 3.0 right now.
>> >>>>>>>
>> >>>>>>> At least that's the approach that would give the session
>> management
>> >>>>>>> modules the widest audience. I am currently writing
a Servlet 4.0
>> >> web
>> >>>>> app
>> >>>>>>> and the Geode session module is working great except
that I need
>> to
>> >>>>> layer
>> >>>>>>> on an additional filter to ensure my session cookies
are secure.
>> >>>>>>>
>> >>>>>>>
>> >>>>>>> --
>> >>>>>>>
>> >>>>>>> Charles Smith
>> >>>>>>>
>> >>>>>>> Developer/Analyst
>> >>>>>>>
>> >>>>>>> Web Architecture and Development
>> >>>>>>> MacEwan University
>> >>>>>>> smithc14@macewan.ca
>> >>>>>>>
>> >>>>>>>
>> >>>>>>> ________________________________
>> >>>>>>> From: John Blum <jblum@pivotal.io>
>> >>>>>>> Sent: Friday, November 15, 2019 11:17 AM
>> >>>>>>> To: geode <dev@geode.apache.org>
>> >>>>>>> Subject: Re: Proposal to modify Servlet spec support
for the HTTP
>> >>>>> Session
>> >>>>>>> Management Module for AppServers
>> >>>>>>>
>> >>>>>>> Since the Servlet 3.1 spec is available and the current
version is
>> >>> 4.0,
>> >>>>>> why
>> >>>>>>> not consider 3.1 or even 4.0, actually?
>> >>>>>>>
>> >>>>>>> -j
>> >>>>>>>
>> >>>>>>> On Fri, Nov 15, 2019 at 8:59 AM Jens Deppe <jdeppe@pivotal.io>
>> >> wrote:
>> >>>>>>>> Hello Charles; thanks very much for bringing this
up.
>> >>>>>>>>
>> >>>>>>>> I vote +1 on this proposal.
>> >>>>>>>>
>> >>>>>>>> Just to add a bit more details for others:
>> >>>>>>>>
>> >>>>>>>> The 3.0 Servlet Spec was finalized at the end of
2009. The
>> >> *earliest*
>> >>>>>>>> versions of various containers that supported it
are:
>> >>>>>>>>
>> >>>>>>>>    - Jetty 8 (EOL'd since 11/2014) [1]
>> >>>>>>>>    - Tomcat 7 (Version 6 EOL'd 2017) [2]
>> >>>>>>>>    - JBoss Web 3.0.0 (version 2.x reached End of
Maintenance
>> >> 11/2017)
>> >>>>>> [3]
>> >>>>>>>>    - Websphere 8.0 (End of support 4/2018) [4]
>> >>>>>>>>    - Weblogic 12cR1 (Extended Support until 12/2019)
[5]
>> >>>>>>>>
>> >>>>>>>> The implication is that, of these products, there
are *no*
>> >> currently
>> >>>>>>>> supported versions that *do not* support the Servlet
3.0 spec. I
>> >>>>>> believe
>> >>>>>>> it
>> >>>>>>>> is quite safe for us to indicate that the Session
Modules are now
>> >>>>> only
>> >>>>>>>> supported on 3.0 compliant containers.
>> >>>>>>>>
>> >>>>>>>> --Jens
>> >>>>>>>>
>> >>>>>>>> [1] -
>> >>>>>>>>
>> >>
>> https://www.eclipse.org/jetty/documentation/current/what-jetty-version.html
>> >>>>>>>> [2] - http://tomcat.apache.org/whichversion.html
>> >>>>>>>> [3] -
>> https://access.redhat.com/support/policy/updates/jboss_notes
>> >>>>>>>> [4] -
>> >> https://en.wikipedia.org/wiki/IBM_WebSphere_Application_Server
>> >>>>>>>> [5] -
>> >>>>>>>>
>> >>>>>>>>
>> >>
>> https://www.solstice.com/fwd/survival-guide-to-webspheres-and-weblogics-end-of-life
>> >>>>>>>> On Fri, Nov 15, 2019 at 8:11 AM Charles Smith <
>> SmithC14@macewan.ca
>> >>>>>>> wrote:
>> >>>>>>>>> Hello,
>> >>>>>>>>>
>> >>>>>>>>> The Geode HTTP Session Management Module for
AppServers
>> currently
>> >>>>>>> states:
>> >>>>>>>>> This approach is a generic solution, which is
supported by any
>> >>>>>>> container
>> >>>>>>>>> that implements the Servlet 2.4 specification.
>> >>>>>>>>> I would like to suggest that this official support
be bumped up
>> to
>> >>>>>> the
>> >>>>>>>>> Servlet 3.0 specification.
>> >>>>>>>>>
>> >>>>>>>>> There are some important cookie security features
missing in the
>> >>>>>>> ancient
>> >>>>>>>>> Servlet 2.4 spec, namely the secure and httpOnly
flags. Bumping
>> >>>>>> support
>> >>>>>>>> to
>> >>>>>>>>> Servlet 3.0 would allow the Geode AppServer
session module to
>> >>>>>>> inherently
>> >>>>>>>>> support these session cookie security features.
>> >>>>>>>>>
>> >>>>>>>>> I have logged the following Jira issue:
>> >>>>>>>>>
>> >>>>>>>>> https://issues.apache.org/jira/browse/GEODE-7438
>> >>>>>>>>>
>> >>>>>>>>> and submitted a pull request that provides the
necessary support
>> >> if
>> >>>>>> the
>> >>>>>>>>> Geode community agrees this is a good idea.
>> >>>>>>>>>
>> >>>>>>>>> And thank you for the excellent Apache Geode
project!
>> >>>>>>>>>
>> >>>>>>>>> --
>> >>>>>>>>>
>> >>>>>>>>> Charles Smith
>> >>>>>>>>>
>> >>>>>>>>> Developer/Analyst
>> >>>>>>>>>
>> >>>>>>>>> Web Architecture and Development
>> >>>>>>>>> MacEwan University
>> >>>>>>>>> smithc14@macewan.ca
>> >>>>>>>>>
>> >>>>>>>>>
>> >>>>>>>
>> >>>>>>> --
>> >>>>>>> -John
>> >>>>>>> john.blum10101 (skype)
>> >>>>>>>
>> >>>>>
>> >>>>> --
>> >>>>> -John
>> >>>>> john.blum10101 (skype)
>> >>>>>
>> >>
>> >> --
>> >> *Joris Melchior *
>> >> CF Engineering
>> >> Pivotal Toronto
>> >> 416 877 5427
>> >>
>> >> “Programs must be written for people to read, and only incidentally for
>> >> machines to execute.” – *Hal Abelson*
>> >> <https://en.wikipedia.org/wiki/Hal_Abelson>
>> >>
>>
>

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message