Seems to me as long as newer Servlet specs do not deprecate functionality/api that the session module requires AND that the session module is not missing any important functionality provided by newer Servlet specs that it's best to base support the oldest Servlet spec that is still supported by active container versions. As Jens nicely enumerated, this seems to be Servlet 3.0 right now.
At least that's the approach that would give the session management modules the widest audience. I am currently writing a Servlet 4.0 web app and the Geode session module is working great except that I need to layer on an additional filter to ensure my session cookies are secure. -- Charles Smith Developer/Analyst Web Architecture and Development MacEwan University smith...@macewan.ca ________________________________ From: John Blum <jb...@pivotal.io> Sent: Friday, November 15, 2019 11:17 AM To: geode <dev@geode.apache.org> Subject: Re: Proposal to modify Servlet spec support for the HTTP Session Management Module for AppServers Since the Servlet 3.1 spec is available and the current version is 4.0, why not consider 3.1 or even 4.0, actually? -j On Fri, Nov 15, 2019 at 8:59 AM Jens Deppe <jde...@pivotal.io> wrote: > Hello Charles; thanks very much for bringing this up. > > I vote +1 on this proposal. > > Just to add a bit more details for others: > > The 3.0 Servlet Spec was finalized at the end of 2009. The *earliest* > versions of various containers that supported it are: > > - Jetty 8 (EOL'd since 11/2014) [1] > - Tomcat 7 (Version 6 EOL'd 2017) [2] > - JBoss Web 3.0.0 (version 2.x reached End of Maintenance 11/2017) [3] > - Websphere 8.0 (End of support 4/2018) [4] > - Weblogic 12cR1 (Extended Support until 12/2019) [5] > > The implication is that, of these products, there are *no* currently > supported versions that *do not* support the Servlet 3.0 spec. I believe it > is quite safe for us to indicate that the Session Modules are now only > supported on 3.0 compliant containers. > > --Jens > > [1] - > https://www.eclipse.org/jetty/documentation/current/what-jetty-version.html > [2] - http://tomcat.apache.org/whichversion.html > [3] - https://access.redhat.com/support/policy/updates/jboss_notes > [4] - https://en.wikipedia.org/wiki/IBM_WebSphere_Application_Server > [5] - > > https://www.solstice.com/fwd/survival-guide-to-webspheres-and-weblogics-end-of-life > > On Fri, Nov 15, 2019 at 8:11 AM Charles Smith <smith...@macewan.ca> wrote: > > > Hello, > > > > The Geode HTTP Session Management Module for AppServers currently states: > > This approach is a generic solution, which is supported by any container > > that implements the Servlet 2.4 specification. > > I would like to suggest that this official support be bumped up to the > > Servlet 3.0 specification. > > > > There are some important cookie security features missing in the ancient > > Servlet 2.4 spec, namely the secure and httpOnly flags. Bumping support > to > > Servlet 3.0 would allow the Geode AppServer session module to inherently > > support these session cookie security features. > > > > I have logged the following Jira issue: > > > > https://issues.apache.org/jira/browse/GEODE-7438 > > > > and submitted a pull request that provides the necessary support if the > > Geode community agrees this is a good idea. > > > > And thank you for the excellent Apache Geode project! > > > > -- > > > > Charles Smith > > > > Developer/Analyst > > > > Web Architecture and Development > > MacEwan University > > smith...@macewan.ca > > > > > -- -John john.blum10101 (skype)
