+1 for bumping to 3.1 On Fri, Nov 15, 2019 at 10:27 PM Jacob Barrett <jbarr...@pivotal.io> wrote:
> +1 for 3.1 > > > On Nov 15, 2019, at 3:08 PM, Jens Deppe <jde...@pivotal.io> wrote: > > > > +1 to bumping the documented support to 3.1. > > > > The prompting for this proposal is due to this PR which specifically > wants > > to utilize a *3.0* API: https://github.com/apache/geode/pull/4311 > > > > Thus implementing this change will not preclude being able to use the > > Session Module in a 3.0 container (even if we document support as being > > against 3.1) > > > > --Jens > > > >> On Fri, Nov 15, 2019 at 2:57 PM John Blum <jb...@pivotal.io> wrote: > >> > >> I would minimally bump it to 3.1 then. Not only does Servlet 3.1 open > up > >> more doors (e.g. NIO), but is also implemented by all current Servlet > >> Container providers (Tomcat, Jetty, etc). Additionally, given all the > >> Servlet Containers Jens mentioned at the version that started supporting > >> Servlet 3.0 are no longer supported, then 3.1 seems like a > good/reasonable > >> target. > >> > >> -j > >> > >>> On Fri, Nov 15, 2019 at 12:49 PM Dan Smith <dsm...@pivotal.io> wrote: > >>> > >>> +1 to bumping to servlet 3.0. > >>> > >>> -Dan > >>> > >>> On Fri, Nov 15, 2019 at 12:16 PM Charles Smith <smith...@macewan.ca> > >>> wrote: > >>> > >>>> Seems to me as long as newer Servlet specs do not deprecate > >>>> functionality/api that the session module requires AND that the > session > >>>> module is not missing any important functionality provided by newer > >>> Servlet > >>>> specs that it's best to base support the oldest Servlet spec that is > >>> still > >>>> supported by active container versions. As Jens nicely enumerated, > this > >>>> seems to be Servlet 3.0 right now. > >>>> > >>>> At least that's the approach that would give the session management > >>>> modules the widest audience. I am currently writing a Servlet 4.0 web > >> app > >>>> and the Geode session module is working great except that I need to > >> layer > >>>> on an additional filter to ensure my session cookies are secure. > >>>> > >>>> > >>>> -- > >>>> > >>>> Charles Smith > >>>> > >>>> Developer/Analyst > >>>> > >>>> Web Architecture and Development > >>>> MacEwan University > >>>> smith...@macewan.ca > >>>> > >>>> > >>>> ________________________________ > >>>> From: John Blum <jb...@pivotal.io> > >>>> Sent: Friday, November 15, 2019 11:17 AM > >>>> To: geode <dev@geode.apache.org> > >>>> Subject: Re: Proposal to modify Servlet spec support for the HTTP > >> Session > >>>> Management Module for AppServers > >>>> > >>>> Since the Servlet 3.1 spec is available and the current version is > 4.0, > >>> why > >>>> not consider 3.1 or even 4.0, actually? > >>>> > >>>> -j > >>>> > >>>> On Fri, Nov 15, 2019 at 8:59 AM Jens Deppe <jde...@pivotal.io> wrote: > >>>> > >>>>> Hello Charles; thanks very much for bringing this up. > >>>>> > >>>>> I vote +1 on this proposal. > >>>>> > >>>>> Just to add a bit more details for others: > >>>>> > >>>>> The 3.0 Servlet Spec was finalized at the end of 2009. The *earliest* > >>>>> versions of various containers that supported it are: > >>>>> > >>>>> - Jetty 8 (EOL'd since 11/2014) [1] > >>>>> - Tomcat 7 (Version 6 EOL'd 2017) [2] > >>>>> - JBoss Web 3.0.0 (version 2.x reached End of Maintenance 11/2017) > >>> [3] > >>>>> - Websphere 8.0 (End of support 4/2018) [4] > >>>>> - Weblogic 12cR1 (Extended Support until 12/2019) [5] > >>>>> > >>>>> The implication is that, of these products, there are *no* currently > >>>>> supported versions that *do not* support the Servlet 3.0 spec. I > >>> believe > >>>> it > >>>>> is quite safe for us to indicate that the Session Modules are now > >> only > >>>>> supported on 3.0 compliant containers. > >>>>> > >>>>> --Jens > >>>>> > >>>>> [1] - > >>>>> > >>>> > >>> > >> > https://www.eclipse.org/jetty/documentation/current/what-jetty-version.html > >>>>> [2] - http://tomcat.apache.org/whichversion.html > >>>>> [3] - https://access.redhat.com/support/policy/updates/jboss_notes > >>>>> [4] - https://en.wikipedia.org/wiki/IBM_WebSphere_Application_Server > >>>>> [5] - > >>>>> > >>>>> > >>>> > >>> > >> > https://www.solstice.com/fwd/survival-guide-to-webspheres-and-weblogics-end-of-life > >>>>> > >>>>> On Fri, Nov 15, 2019 at 8:11 AM Charles Smith <smith...@macewan.ca> > >>>> wrote: > >>>>> > >>>>>> Hello, > >>>>>> > >>>>>> The Geode HTTP Session Management Module for AppServers currently > >>>> states: > >>>>>> This approach is a generic solution, which is supported by any > >>>> container > >>>>>> that implements the Servlet 2.4 specification. > >>>>>> I would like to suggest that this official support be bumped up to > >>> the > >>>>>> Servlet 3.0 specification. > >>>>>> > >>>>>> There are some important cookie security features missing in the > >>>> ancient > >>>>>> Servlet 2.4 spec, namely the secure and httpOnly flags. Bumping > >>> support > >>>>> to > >>>>>> Servlet 3.0 would allow the Geode AppServer session module to > >>>> inherently > >>>>>> support these session cookie security features. > >>>>>> > >>>>>> I have logged the following Jira issue: > >>>>>> > >>>>>> https://issues.apache.org/jira/browse/GEODE-7438 > >>>>>> > >>>>>> and submitted a pull request that provides the necessary support if > >>> the > >>>>>> Geode community agrees this is a good idea. > >>>>>> > >>>>>> And thank you for the excellent Apache Geode project! > >>>>>> > >>>>>> -- > >>>>>> > >>>>>> Charles Smith > >>>>>> > >>>>>> Developer/Analyst > >>>>>> > >>>>>> Web Architecture and Development > >>>>>> MacEwan University > >>>>>> smith...@macewan.ca > >>>>>> > >>>>>> > >>>>> > >>>> > >>>> > >>>> -- > >>>> -John > >>>> john.blum10101 (skype) > >>>> > >>> > >> > >> > >> -- > >> -John > >> john.blum10101 (skype) > >> > -- *Joris Melchior * CF Engineering Pivotal Toronto 416 877 5427 “Programs must be written for people to read, and only incidentally for machines to execute.” – *Hal Abelson* <https://en.wikipedia.org/wiki/Hal_Abelson>
