+1 to bumping to servlet 3.0. -Dan
On Fri, Nov 15, 2019 at 12:16 PM Charles Smith <smith...@macewan.ca> wrote: > Seems to me as long as newer Servlet specs do not deprecate > functionality/api that the session module requires AND that the session > module is not missing any important functionality provided by newer Servlet > specs that it's best to base support the oldest Servlet spec that is still > supported by active container versions. As Jens nicely enumerated, this > seems to be Servlet 3.0 right now. > > At least that's the approach that would give the session management > modules the widest audience. I am currently writing a Servlet 4.0 web app > and the Geode session module is working great except that I need to layer > on an additional filter to ensure my session cookies are secure. > > > -- > > Charles Smith > > Developer/Analyst > > Web Architecture and Development > MacEwan University > smith...@macewan.ca > > > ________________________________ > From: John Blum <jb...@pivotal.io> > Sent: Friday, November 15, 2019 11:17 AM > To: geode <dev@geode.apache.org> > Subject: Re: Proposal to modify Servlet spec support for the HTTP Session > Management Module for AppServers > > Since the Servlet 3.1 spec is available and the current version is 4.0, why > not consider 3.1 or even 4.0, actually? > > -j > > On Fri, Nov 15, 2019 at 8:59 AM Jens Deppe <jde...@pivotal.io> wrote: > > > Hello Charles; thanks very much for bringing this up. > > > > I vote +1 on this proposal. > > > > Just to add a bit more details for others: > > > > The 3.0 Servlet Spec was finalized at the end of 2009. The *earliest* > > versions of various containers that supported it are: > > > > - Jetty 8 (EOL'd since 11/2014) [1] > > - Tomcat 7 (Version 6 EOL'd 2017) [2] > > - JBoss Web 3.0.0 (version 2.x reached End of Maintenance 11/2017) [3] > > - Websphere 8.0 (End of support 4/2018) [4] > > - Weblogic 12cR1 (Extended Support until 12/2019) [5] > > > > The implication is that, of these products, there are *no* currently > > supported versions that *do not* support the Servlet 3.0 spec. I believe > it > > is quite safe for us to indicate that the Session Modules are now only > > supported on 3.0 compliant containers. > > > > --Jens > > > > [1] - > > > https://www.eclipse.org/jetty/documentation/current/what-jetty-version.html > > [2] - http://tomcat.apache.org/whichversion.html > > [3] - https://access.redhat.com/support/policy/updates/jboss_notes > > [4] - https://en.wikipedia.org/wiki/IBM_WebSphere_Application_Server > > [5] - > > > > > https://www.solstice.com/fwd/survival-guide-to-webspheres-and-weblogics-end-of-life > > > > On Fri, Nov 15, 2019 at 8:11 AM Charles Smith <smith...@macewan.ca> > wrote: > > > > > Hello, > > > > > > The Geode HTTP Session Management Module for AppServers currently > states: > > > This approach is a generic solution, which is supported by any > container > > > that implements the Servlet 2.4 specification. > > > I would like to suggest that this official support be bumped up to the > > > Servlet 3.0 specification. > > > > > > There are some important cookie security features missing in the > ancient > > > Servlet 2.4 spec, namely the secure and httpOnly flags. Bumping support > > to > > > Servlet 3.0 would allow the Geode AppServer session module to > inherently > > > support these session cookie security features. > > > > > > I have logged the following Jira issue: > > > > > > https://issues.apache.org/jira/browse/GEODE-7438 > > > > > > and submitted a pull request that provides the necessary support if the > > > Geode community agrees this is a good idea. > > > > > > And thank you for the excellent Apache Geode project! > > > > > > -- > > > > > > Charles Smith > > > > > > Developer/Analyst > > > > > > Web Architecture and Development > > > MacEwan University > > > smith...@macewan.ca > > > > > > > > > > > -- > -John > john.blum10101 (skype) >
