To be clear, this proposal just wants to update the *minimum* *documented* requirement. The following PR would require that to be 3.0: https://github.com/apache/geode/pull/4311
There is no additional change required other than documentation. --Jens On Wed, Nov 20, 2019 at 9:46 AM Udo Kohlmeyer <u...@apache.com> wrote: > I think that we should really be looking at going to 4.0. > > It would be compatible with 3.1, but given that 4.0 is standard with > Java 8 (which already EOL), we should try and get onto the latest. > > I don't think that us aligning ourselves with a tech release in 2013 is > something we should do. > > --Udo > > On 11/20/19 9:17 AM, Jens Deppe wrote: > > Since there appears to be consensus, I'm going to give this thread > another > > 24 hours and will then consider this proposal accepted. > > > > If anyone does have concerns please do raise them now. > > > > Thanks > > --Jens > > > > On Sat, Nov 16, 2019 at 8:17 AM Joris Melchior <jmelch...@pivotal.io> > wrote: > > > >> +1 for bumping to 3.1 > >> > >> On Fri, Nov 15, 2019 at 10:27 PM Jacob Barrett <jbarr...@pivotal.io> > >> wrote: > >> > >>> +1 for 3.1 > >>> > >>>> On Nov 15, 2019, at 3:08 PM, Jens Deppe <jde...@pivotal.io> wrote: > >>>> > >>>> +1 to bumping the documented support to 3.1. > >>>> > >>>> The prompting for this proposal is due to this PR which specifically > >>> wants > >>>> to utilize a *3.0* API: https://github.com/apache/geode/pull/4311 > >>>> > >>>> Thus implementing this change will not preclude being able to use the > >>>> Session Module in a 3.0 container (even if we document support as > being > >>>> against 3.1) > >>>> > >>>> --Jens > >>>> > >>>>> On Fri, Nov 15, 2019 at 2:57 PM John Blum <jb...@pivotal.io> wrote: > >>>>> > >>>>> I would minimally bump it to 3.1 then. Not only does Servlet 3.1 > open > >>> up > >>>>> more doors (e.g. NIO), but is also implemented by all current Servlet > >>>>> Container providers (Tomcat, Jetty, etc). Additionally, given all > the > >>>>> Servlet Containers Jens mentioned at the version that started > >> supporting > >>>>> Servlet 3.0 are no longer supported, then 3.1 seems like a > >>> good/reasonable > >>>>> target. > >>>>> > >>>>> -j > >>>>> > >>>>>> On Fri, Nov 15, 2019 at 12:49 PM Dan Smith <dsm...@pivotal.io> > >> wrote: > >>>>>> +1 to bumping to servlet 3.0. > >>>>>> > >>>>>> -Dan > >>>>>> > >>>>>> On Fri, Nov 15, 2019 at 12:16 PM Charles Smith <smith...@macewan.ca > > > >>>>>> wrote: > >>>>>> > >>>>>>> Seems to me as long as newer Servlet specs do not deprecate > >>>>>>> functionality/api that the session module requires AND that the > >>> session > >>>>>>> module is not missing any important functionality provided by newer > >>>>>> Servlet > >>>>>>> specs that it's best to base support the oldest Servlet spec that > is > >>>>>> still > >>>>>>> supported by active container versions. As Jens nicely enumerated, > >>> this > >>>>>>> seems to be Servlet 3.0 right now. > >>>>>>> > >>>>>>> At least that's the approach that would give the session management > >>>>>>> modules the widest audience. I am currently writing a Servlet 4.0 > >> web > >>>>> app > >>>>>>> and the Geode session module is working great except that I need to > >>>>> layer > >>>>>>> on an additional filter to ensure my session cookies are secure. > >>>>>>> > >>>>>>> > >>>>>>> -- > >>>>>>> > >>>>>>> Charles Smith > >>>>>>> > >>>>>>> Developer/Analyst > >>>>>>> > >>>>>>> Web Architecture and Development > >>>>>>> MacEwan University > >>>>>>> smith...@macewan.ca > >>>>>>> > >>>>>>> > >>>>>>> ________________________________ > >>>>>>> From: John Blum <jb...@pivotal.io> > >>>>>>> Sent: Friday, November 15, 2019 11:17 AM > >>>>>>> To: geode <dev@geode.apache.org> > >>>>>>> Subject: Re: Proposal to modify Servlet spec support for the HTTP > >>>>> Session > >>>>>>> Management Module for AppServers > >>>>>>> > >>>>>>> Since the Servlet 3.1 spec is available and the current version is > >>> 4.0, > >>>>>> why > >>>>>>> not consider 3.1 or even 4.0, actually? > >>>>>>> > >>>>>>> -j > >>>>>>> > >>>>>>> On Fri, Nov 15, 2019 at 8:59 AM Jens Deppe <jde...@pivotal.io> > >> wrote: > >>>>>>>> Hello Charles; thanks very much for bringing this up. > >>>>>>>> > >>>>>>>> I vote +1 on this proposal. > >>>>>>>> > >>>>>>>> Just to add a bit more details for others: > >>>>>>>> > >>>>>>>> The 3.0 Servlet Spec was finalized at the end of 2009. The > >> *earliest* > >>>>>>>> versions of various containers that supported it are: > >>>>>>>> > >>>>>>>> - Jetty 8 (EOL'd since 11/2014) [1] > >>>>>>>> - Tomcat 7 (Version 6 EOL'd 2017) [2] > >>>>>>>> - JBoss Web 3.0.0 (version 2.x reached End of Maintenance > >> 11/2017) > >>>>>> [3] > >>>>>>>> - Websphere 8.0 (End of support 4/2018) [4] > >>>>>>>> - Weblogic 12cR1 (Extended Support until 12/2019) [5] > >>>>>>>> > >>>>>>>> The implication is that, of these products, there are *no* > >> currently > >>>>>>>> supported versions that *do not* support the Servlet 3.0 spec. I > >>>>>> believe > >>>>>>> it > >>>>>>>> is quite safe for us to indicate that the Session Modules are now > >>>>> only > >>>>>>>> supported on 3.0 compliant containers. > >>>>>>>> > >>>>>>>> --Jens > >>>>>>>> > >>>>>>>> [1] - > >>>>>>>> > >> > https://www.eclipse.org/jetty/documentation/current/what-jetty-version.html > >>>>>>>> [2] - http://tomcat.apache.org/whichversion.html > >>>>>>>> [3] - > https://access.redhat.com/support/policy/updates/jboss_notes > >>>>>>>> [4] - > >> https://en.wikipedia.org/wiki/IBM_WebSphere_Application_Server > >>>>>>>> [5] - > >>>>>>>> > >>>>>>>> > >> > https://www.solstice.com/fwd/survival-guide-to-webspheres-and-weblogics-end-of-life > >>>>>>>> On Fri, Nov 15, 2019 at 8:11 AM Charles Smith < > smith...@macewan.ca > >>>>>>> wrote: > >>>>>>>>> Hello, > >>>>>>>>> > >>>>>>>>> The Geode HTTP Session Management Module for AppServers currently > >>>>>>> states: > >>>>>>>>> This approach is a generic solution, which is supported by any > >>>>>>> container > >>>>>>>>> that implements the Servlet 2.4 specification. > >>>>>>>>> I would like to suggest that this official support be bumped up > to > >>>>>> the > >>>>>>>>> Servlet 3.0 specification. > >>>>>>>>> > >>>>>>>>> There are some important cookie security features missing in the > >>>>>>> ancient > >>>>>>>>> Servlet 2.4 spec, namely the secure and httpOnly flags. Bumping > >>>>>> support > >>>>>>>> to > >>>>>>>>> Servlet 3.0 would allow the Geode AppServer session module to > >>>>>>> inherently > >>>>>>>>> support these session cookie security features. > >>>>>>>>> > >>>>>>>>> I have logged the following Jira issue: > >>>>>>>>> > >>>>>>>>> https://issues.apache.org/jira/browse/GEODE-7438 > >>>>>>>>> > >>>>>>>>> and submitted a pull request that provides the necessary support > >> if > >>>>>> the > >>>>>>>>> Geode community agrees this is a good idea. > >>>>>>>>> > >>>>>>>>> And thank you for the excellent Apache Geode project! > >>>>>>>>> > >>>>>>>>> -- > >>>>>>>>> > >>>>>>>>> Charles Smith > >>>>>>>>> > >>>>>>>>> Developer/Analyst > >>>>>>>>> > >>>>>>>>> Web Architecture and Development > >>>>>>>>> MacEwan University > >>>>>>>>> smith...@macewan.ca > >>>>>>>>> > >>>>>>>>> > >>>>>>> > >>>>>>> -- > >>>>>>> -John > >>>>>>> john.blum10101 (skype) > >>>>>>> > >>>>> > >>>>> -- > >>>>> -John > >>>>> john.blum10101 (skype) > >>>>> > >> > >> -- > >> *Joris Melchior * > >> CF Engineering > >> Pivotal Toronto > >> 416 877 5427 > >> > >> “Programs must be written for people to read, and only incidentally for > >> machines to execute.” – *Hal Abelson* > >> <https://en.wikipedia.org/wiki/Hal_Abelson> > >> >
