1 more thing... You can provide additional/dedicated support for newer versions (e.g. Servlet 4.0) without (unduly) sacrificing backwards compatibility. This is done by many popular Java frameworks in fact, which also simultaneously constitute a minimum baseline (e.g. Servlet 3.1). Be current and compatible where it makes sense. Servlet 3.1 is a very powerful and logical choice at this particular point in time.
FYR... Apache Tomcat: https://docs.spring.io/spring-boot-data-geode-build/1.2.x/reference/html5/ Eclipse Jetty: https://www.eclipse.org/jetty/documentation/current/what-jetty-version.html Undertow: http://undertow.io/undertow-docs/undertow-docs-1.3.0/index.html#getting-undertow ... http://undertow.io/ On Fri, Nov 15, 2019 at 2:57 PM John Blum <jb...@pivotal.io> wrote: > I would minimally bump it to 3.1 then. Not only does Servlet 3.1 open up > more doors (e.g. NIO), but is also implemented by all current Servlet > Container providers (Tomcat, Jetty, etc). Additionally, given all the > Servlet Containers Jens mentioned at the version that started supporting > Servlet 3.0 are no longer supported, then 3.1 seems like a good/reasonable > target. > > -j > > On Fri, Nov 15, 2019 at 12:49 PM Dan Smith <dsm...@pivotal.io> wrote: > >> +1 to bumping to servlet 3.0. >> >> -Dan >> >> On Fri, Nov 15, 2019 at 12:16 PM Charles Smith <smith...@macewan.ca> >> wrote: >> >> > Seems to me as long as newer Servlet specs do not deprecate >> > functionality/api that the session module requires AND that the session >> > module is not missing any important functionality provided by newer >> Servlet >> > specs that it's best to base support the oldest Servlet spec that is >> still >> > supported by active container versions. As Jens nicely enumerated, this >> > seems to be Servlet 3.0 right now. >> > >> > At least that's the approach that would give the session management >> > modules the widest audience. I am currently writing a Servlet 4.0 web >> app >> > and the Geode session module is working great except that I need to >> layer >> > on an additional filter to ensure my session cookies are secure. >> > >> > >> > -- >> > >> > Charles Smith >> > >> > Developer/Analyst >> > >> > Web Architecture and Development >> > MacEwan University >> > smith...@macewan.ca >> > >> > >> > ________________________________ >> > From: John Blum <jb...@pivotal.io> >> > Sent: Friday, November 15, 2019 11:17 AM >> > To: geode <dev@geode.apache.org> >> > Subject: Re: Proposal to modify Servlet spec support for the HTTP >> Session >> > Management Module for AppServers >> > >> > Since the Servlet 3.1 spec is available and the current version is 4.0, >> why >> > not consider 3.1 or even 4.0, actually? >> > >> > -j >> > >> > On Fri, Nov 15, 2019 at 8:59 AM Jens Deppe <jde...@pivotal.io> wrote: >> > >> > > Hello Charles; thanks very much for bringing this up. >> > > >> > > I vote +1 on this proposal. >> > > >> > > Just to add a bit more details for others: >> > > >> > > The 3.0 Servlet Spec was finalized at the end of 2009. The *earliest* >> > > versions of various containers that supported it are: >> > > >> > > - Jetty 8 (EOL'd since 11/2014) [1] >> > > - Tomcat 7 (Version 6 EOL'd 2017) [2] >> > > - JBoss Web 3.0.0 (version 2.x reached End of Maintenance 11/2017) >> [3] >> > > - Websphere 8.0 (End of support 4/2018) [4] >> > > - Weblogic 12cR1 (Extended Support until 12/2019) [5] >> > > >> > > The implication is that, of these products, there are *no* currently >> > > supported versions that *do not* support the Servlet 3.0 spec. I >> believe >> > it >> > > is quite safe for us to indicate that the Session Modules are now only >> > > supported on 3.0 compliant containers. >> > > >> > > --Jens >> > > >> > > [1] - >> > > >> > >> https://www.eclipse.org/jetty/documentation/current/what-jetty-version.html >> > > [2] - http://tomcat.apache.org/whichversion.html >> > > [3] - https://access.redhat.com/support/policy/updates/jboss_notes >> > > [4] - https://en.wikipedia.org/wiki/IBM_WebSphere_Application_Server >> > > [5] - >> > > >> > > >> > >> https://www.solstice.com/fwd/survival-guide-to-webspheres-and-weblogics-end-of-life >> > > >> > > On Fri, Nov 15, 2019 at 8:11 AM Charles Smith <smith...@macewan.ca> >> > wrote: >> > > >> > > > Hello, >> > > > >> > > > The Geode HTTP Session Management Module for AppServers currently >> > states: >> > > > This approach is a generic solution, which is supported by any >> > container >> > > > that implements the Servlet 2.4 specification. >> > > > I would like to suggest that this official support be bumped up to >> the >> > > > Servlet 3.0 specification. >> > > > >> > > > There are some important cookie security features missing in the >> > ancient >> > > > Servlet 2.4 spec, namely the secure and httpOnly flags. Bumping >> support >> > > to >> > > > Servlet 3.0 would allow the Geode AppServer session module to >> > inherently >> > > > support these session cookie security features. >> > > > >> > > > I have logged the following Jira issue: >> > > > >> > > > https://issues.apache.org/jira/browse/GEODE-7438 >> > > > >> > > > and submitted a pull request that provides the necessary support if >> the >> > > > Geode community agrees this is a good idea. >> > > > >> > > > And thank you for the excellent Apache Geode project! >> > > > >> > > > -- >> > > > >> > > > Charles Smith >> > > > >> > > > Developer/Analyst >> > > > >> > > > Web Architecture and Development >> > > > MacEwan University >> > > > smith...@macewan.ca >> > > > >> > > > >> > > >> > >> > >> > -- >> > -John >> > john.blum10101 (skype) >> > >> > > > -- > -John > john.blum10101 (skype) > -- -John john.blum10101 (skype)
