I would minimally bump it to 3.1 then. Not only does Servlet 3.1 open up more doors (e.g. NIO), but is also implemented by all current Servlet Container providers (Tomcat, Jetty, etc). Additionally, given all the Servlet Containers Jens mentioned at the version that started supporting Servlet 3.0 are no longer supported, then 3.1 seems like a good/reasonable target.
-j On Fri, Nov 15, 2019 at 12:49 PM Dan Smith <dsm...@pivotal.io> wrote: > +1 to bumping to servlet 3.0. > > -Dan > > On Fri, Nov 15, 2019 at 12:16 PM Charles Smith <smith...@macewan.ca> > wrote: > > > Seems to me as long as newer Servlet specs do not deprecate > > functionality/api that the session module requires AND that the session > > module is not missing any important functionality provided by newer > Servlet > > specs that it's best to base support the oldest Servlet spec that is > still > > supported by active container versions. As Jens nicely enumerated, this > > seems to be Servlet 3.0 right now. > > > > At least that's the approach that would give the session management > > modules the widest audience. I am currently writing a Servlet 4.0 web app > > and the Geode session module is working great except that I need to layer > > on an additional filter to ensure my session cookies are secure. > > > > > > -- > > > > Charles Smith > > > > Developer/Analyst > > > > Web Architecture and Development > > MacEwan University > > smith...@macewan.ca > > > > > > ________________________________ > > From: John Blum <jb...@pivotal.io> > > Sent: Friday, November 15, 2019 11:17 AM > > To: geode <dev@geode.apache.org> > > Subject: Re: Proposal to modify Servlet spec support for the HTTP Session > > Management Module for AppServers > > > > Since the Servlet 3.1 spec is available and the current version is 4.0, > why > > not consider 3.1 or even 4.0, actually? > > > > -j > > > > On Fri, Nov 15, 2019 at 8:59 AM Jens Deppe <jde...@pivotal.io> wrote: > > > > > Hello Charles; thanks very much for bringing this up. > > > > > > I vote +1 on this proposal. > > > > > > Just to add a bit more details for others: > > > > > > The 3.0 Servlet Spec was finalized at the end of 2009. The *earliest* > > > versions of various containers that supported it are: > > > > > > - Jetty 8 (EOL'd since 11/2014) [1] > > > - Tomcat 7 (Version 6 EOL'd 2017) [2] > > > - JBoss Web 3.0.0 (version 2.x reached End of Maintenance 11/2017) > [3] > > > - Websphere 8.0 (End of support 4/2018) [4] > > > - Weblogic 12cR1 (Extended Support until 12/2019) [5] > > > > > > The implication is that, of these products, there are *no* currently > > > supported versions that *do not* support the Servlet 3.0 spec. I > believe > > it > > > is quite safe for us to indicate that the Session Modules are now only > > > supported on 3.0 compliant containers. > > > > > > --Jens > > > > > > [1] - > > > > > > https://www.eclipse.org/jetty/documentation/current/what-jetty-version.html > > > [2] - http://tomcat.apache.org/whichversion.html > > > [3] - https://access.redhat.com/support/policy/updates/jboss_notes > > > [4] - https://en.wikipedia.org/wiki/IBM_WebSphere_Application_Server > > > [5] - > > > > > > > > > https://www.solstice.com/fwd/survival-guide-to-webspheres-and-weblogics-end-of-life > > > > > > On Fri, Nov 15, 2019 at 8:11 AM Charles Smith <smith...@macewan.ca> > > wrote: > > > > > > > Hello, > > > > > > > > The Geode HTTP Session Management Module for AppServers currently > > states: > > > > This approach is a generic solution, which is supported by any > > container > > > > that implements the Servlet 2.4 specification. > > > > I would like to suggest that this official support be bumped up to > the > > > > Servlet 3.0 specification. > > > > > > > > There are some important cookie security features missing in the > > ancient > > > > Servlet 2.4 spec, namely the secure and httpOnly flags. Bumping > support > > > to > > > > Servlet 3.0 would allow the Geode AppServer session module to > > inherently > > > > support these session cookie security features. > > > > > > > > I have logged the following Jira issue: > > > > > > > > https://issues.apache.org/jira/browse/GEODE-7438 > > > > > > > > and submitted a pull request that provides the necessary support if > the > > > > Geode community agrees this is a good idea. > > > > > > > > And thank you for the excellent Apache Geode project! > > > > > > > > -- > > > > > > > > Charles Smith > > > > > > > > Developer/Analyst > > > > > > > > Web Architecture and Development > > > > MacEwan University > > > > smith...@macewan.ca > > > > > > > > > > > > > > > > > -- > > -John > > john.blum10101 (skype) > > > -- -John john.blum10101 (skype)
