Proposal to modify Servlet spec support for the HTTP Session Management Module for AppServers

[Charles Smith <Sm...@macewan.ca>]

Hello,

The Geode HTTP Session Management Module for AppServers currently states:
This approach is a generic solution, which is supported by any container that implements the Servlet 2.4 specification.
I would like to suggest that this official support be bumped up to the Servlet 3.0 specification.

There are some important cookie security features missing in the ancient Servlet 2.4 spec, namely the secure and httpOnly flags. Bumping support to Servlet 3.0 would allow the Geode AppServer session module to inherently support these session cookie security features.

I have logged the following Jira issue:

https://issues.apache.org/jira/browse/GEODE-7438

and submitted a pull request that provides the necessary support if the Geode community agrees this is a good idea.

And thank you for the excellent Apache Geode project!

--

Charles Smith

Developer/Analyst

Web Architecture and Development
MacEwan University
smithc14@macewan.ca

Re: Proposal to modify Servlet spec support for the HTTP Session Management Module for AppServers

[Jens Deppe <jd...@pivotal.io>]

For the purpose of moving this forward, I have merged PR #4311 [1]. From a
runtime POV this now requires a minimum 3.0 servlet compatible container.
Documented minimum, however, is at least 3.1.

I suggest that if anyone would like to see documented newer support that
that should be proposed separately.

Thanks
--Jens

[1] - https://github.com/apache/geode/pull/4311

On Wed, Nov 20, 2019 at 10:15 AM Jens Deppe <jd...@pivotal.io> wrote:

> To be clear, this proposal just wants to update the *minimum* *documented*
> requirement. The following PR would require that to be 3.0:
> https://github.com/apache/geode/pull/4311
>
> There is no additional change required other than documentation.
>
> --Jens
>
> On Wed, Nov 20, 2019 at 9:46 AM Udo Kohlmeyer <ud...@apache.com> wrote:
>
>> I think that we should really be looking at going to 4.0.
>>
>> It would be compatible with 3.1, but given that 4.0 is standard with
>> Java 8 (which already EOL), we should try and get onto the latest.
>>
>> I don't think that us aligning ourselves with a tech release in 2013 is
>> something we should do.
>>
>> --Udo
>>
>> On 11/20/19 9:17 AM, Jens Deppe wrote:
>> > Since there appears to be consensus, I'm going to give this thread
>> another
>> > 24 hours and will then consider this proposal accepted.
>> >
>> > If anyone does have concerns please do raise them now.
>> >
>> > Thanks
>> > --Jens
>> >
>> > On Sat, Nov 16, 2019 at 8:17 AM Joris Melchior <jm...@pivotal.io>
>> wrote:
>> >
>> >> +1 for bumping to 3.1
>> >>
>> >> On Fri, Nov 15, 2019 at 10:27 PM Jacob Barrett <jb...@pivotal.io>
>> >> wrote:
>> >>
>> >>> +1 for 3.1
>> >>>
>> >>>> On Nov 15, 2019, at 3:08 PM, Jens Deppe <jd...@pivotal.io> wrote:
>> >>>>
>> >>>> +1 to bumping the documented support to 3.1.
>> >>>>
>> >>>> The prompting for this proposal is due to this PR which specifically
>> >>> wants
>> >>>> to utilize a *3.0* API: https://github.com/apache/geode/pull/4311
>> >>>>
>> >>>> Thus implementing this change will not preclude being able to use the
>> >>>> Session Module in a 3.0 container (even if we document support as
>> being
>> >>>> against 3.1)
>> >>>>
>> >>>> --Jens
>> >>>>
>> >>>>> On Fri, Nov 15, 2019 at 2:57 PM John Blum <jb...@pivotal.io> wrote:
>> >>>>>
>> >>>>> I would minimally bump it to 3.1 then.  Not only does Servlet 3.1
>> open
>> >>> up
>> >>>>> more doors (e.g. NIO), but is also implemented by all current
>> Servlet
>> >>>>> Container providers (Tomcat, Jetty, etc).  Additionally, given all
>> the
>> >>>>> Servlet Containers Jens mentioned at the version that started
>> >> supporting
>> >>>>> Servlet 3.0 are no longer supported, then 3.1 seems like a
>> >>> good/reasonable
>> >>>>> target.
>> >>>>>
>> >>>>> -j
>> >>>>>
>> >>>>>> On Fri, Nov 15, 2019 at 12:49 PM Dan Smith <ds...@pivotal.io>
>> >> wrote:
>> >>>>>> +1 to bumping to servlet 3.0.
>> >>>>>>
>> >>>>>> -Dan
>> >>>>>>
>> >>>>>> On Fri, Nov 15, 2019 at 12:16 PM Charles Smith <
>> SmithC14@macewan.ca>
>> >>>>>> wrote:
>> >>>>>>
>> >>>>>>> Seems to me as long as newer Servlet specs do not deprecate
>> >>>>>>> functionality/api that the session module requires AND that the
>> >>> session
>> >>>>>>> module is not missing any important functionality provided by
>> newer
>> >>>>>> Servlet
>> >>>>>>> specs that it's best to base support the oldest Servlet spec that
>> is
>> >>>>>> still
>> >>>>>>> supported by active container versions. As Jens nicely enumerated,
>> >>> this
>> >>>>>>> seems to be Servlet 3.0 right now.
>> >>>>>>>
>> >>>>>>> At least that's the approach that would give the session
>> management
>> >>>>>>> modules the widest audience. I am currently writing a Servlet 4.0
>> >> web
>> >>>>> app
>> >>>>>>> and the Geode session module is working great except that I need
>> to
>> >>>>> layer
>> >>>>>>> on an additional filter to ensure my session cookies are secure.
>> >>>>>>>
>> >>>>>>>
>> >>>>>>> --
>> >>>>>>>
>> >>>>>>> Charles Smith
>> >>>>>>>
>> >>>>>>> Developer/Analyst
>> >>>>>>>
>> >>>>>>> Web Architecture and Development
>> >>>>>>> MacEwan University
>> >>>>>>> smithc14@macewan.ca
>> >>>>>>>
>> >>>>>>>
>> >>>>>>> ________________________________
>> >>>>>>> From: John Blum <jb...@pivotal.io>
>> >>>>>>> Sent: Friday, November 15, 2019 11:17 AM
>> >>>>>>> To: geode <de...@geode.apache.org>
>> >>>>>>> Subject: Re: Proposal to modify Servlet spec support for the HTTP
>> >>>>> Session
>> >>>>>>> Management Module for AppServers
>> >>>>>>>
>> >>>>>>> Since the Servlet 3.1 spec is available and the current version is
>> >>> 4.0,
>> >>>>>> why
>> >>>>>>> not consider 3.1 or even 4.0, actually?
>> >>>>>>>
>> >>>>>>> -j
>> >>>>>>>
>> >>>>>>> On Fri, Nov 15, 2019 at 8:59 AM Jens Deppe <jd...@pivotal.io>
>> >> wrote:
>> >>>>>>>> Hello Charles; thanks very much for bringing this up.
>> >>>>>>>>
>> >>>>>>>> I vote +1 on this proposal.
>> >>>>>>>>
>> >>>>>>>> Just to add a bit more details for others:
>> >>>>>>>>
>> >>>>>>>> The 3.0 Servlet Spec was finalized at the end of 2009. The
>> >> *earliest*
>> >>>>>>>> versions of various containers that supported it are:
>> >>>>>>>>
>> >>>>>>>>    - Jetty 8 (EOL'd since 11/2014) [1]
>> >>>>>>>>    - Tomcat 7 (Version 6 EOL'd 2017) [2]
>> >>>>>>>>    - JBoss Web 3.0.0 (version 2.x reached End of Maintenance
>> >> 11/2017)
>> >>>>>> [3]
>> >>>>>>>>    - Websphere 8.0 (End of support 4/2018) [4]
>> >>>>>>>>    - Weblogic 12cR1 (Extended Support until 12/2019) [5]
>> >>>>>>>>
>> >>>>>>>> The implication is that, of these products, there are *no*
>> >> currently
>> >>>>>>>> supported versions that *do not* support the Servlet 3.0 spec. I
>> >>>>>> believe
>> >>>>>>> it
>> >>>>>>>> is quite safe for us to indicate that the Session Modules are now
>> >>>>> only
>> >>>>>>>> supported on 3.0 compliant containers.
>> >>>>>>>>
>> >>>>>>>> --Jens
>> >>>>>>>>
>> >>>>>>>> [1] -
>> >>>>>>>>
>> >>
>> https://www.eclipse.org/jetty/documentation/current/what-jetty-version.html
>> >>>>>>>> [2] - http://tomcat.apache.org/whichversion.html
>> >>>>>>>> [3] -
>> https://access.redhat.com/support/policy/updates/jboss_notes
>> >>>>>>>> [4] -
>> >> https://en.wikipedia.org/wiki/IBM_WebSphere_Application_Server
>> >>>>>>>> [5] -
>> >>>>>>>>
>> >>>>>>>>
>> >>
>> https://www.solstice.com/fwd/survival-guide-to-webspheres-and-weblogics-end-of-life
>> >>>>>>>> On Fri, Nov 15, 2019 at 8:11 AM Charles Smith <
>> SmithC14@macewan.ca
>> >>>>>>> wrote:
>> >>>>>>>>> Hello,
>> >>>>>>>>>
>> >>>>>>>>> The Geode HTTP Session Management Module for AppServers
>> currently
>> >>>>>>> states:
>> >>>>>>>>> This approach is a generic solution, which is supported by any
>> >>>>>>> container
>> >>>>>>>>> that implements the Servlet 2.4 specification.
>> >>>>>>>>> I would like to suggest that this official support be bumped up
>> to
>> >>>>>> the
>> >>>>>>>>> Servlet 3.0 specification.
>> >>>>>>>>>
>> >>>>>>>>> There are some important cookie security features missing in the
>> >>>>>>> ancient
>> >>>>>>>>> Servlet 2.4 spec, namely the secure and httpOnly flags. Bumping
>> >>>>>> support
>> >>>>>>>> to
>> >>>>>>>>> Servlet 3.0 would allow the Geode AppServer session module to
>> >>>>>>> inherently
>> >>>>>>>>> support these session cookie security features.
>> >>>>>>>>>
>> >>>>>>>>> I have logged the following Jira issue:
>> >>>>>>>>>
>> >>>>>>>>> https://issues.apache.org/jira/browse/GEODE-7438
>> >>>>>>>>>
>> >>>>>>>>> and submitted a pull request that provides the necessary support
>> >> if
>> >>>>>> the
>> >>>>>>>>> Geode community agrees this is a good idea.
>> >>>>>>>>>
>> >>>>>>>>> And thank you for the excellent Apache Geode project!
>> >>>>>>>>>
>> >>>>>>>>> --
>> >>>>>>>>>
>> >>>>>>>>> Charles Smith
>> >>>>>>>>>
>> >>>>>>>>> Developer/Analyst
>> >>>>>>>>>
>> >>>>>>>>> Web Architecture and Development
>> >>>>>>>>> MacEwan University
>> >>>>>>>>> smithc14@macewan.ca
>> >>>>>>>>>
>> >>>>>>>>>
>> >>>>>>>
>> >>>>>>> --
>> >>>>>>> -John
>> >>>>>>> john.blum10101 (skype)
>> >>>>>>>
>> >>>>>
>> >>>>> --
>> >>>>> -John
>> >>>>> john.blum10101 (skype)
>> >>>>>
>> >>
>> >> --
>> >> *Joris Melchior *
>> >> CF Engineering
>> >> Pivotal Toronto
>> >> 416 877 5427
>> >>
>> >> “Programs must be written for people to read, and only incidentally for
>> >> machines to execute.” – *Hal Abelson*
>> >> <https://en.wikipedia.org/wiki/Hal_Abelson>
>> >>
>>
>

Re: Proposal to modify Servlet spec support for the HTTP Session Management Module for AppServers

[Jens Deppe <jd...@pivotal.io>]

To be clear, this proposal just wants to update the *minimum* *documented*
requirement. The following PR would require that to be 3.0:
https://github.com/apache/geode/pull/4311

There is no additional change required other than documentation.

--Jens

On Wed, Nov 20, 2019 at 9:46 AM Udo Kohlmeyer <ud...@apache.com> wrote:

> I think that we should really be looking at going to 4.0.
>
> It would be compatible with 3.1, but given that 4.0 is standard with
> Java 8 (which already EOL), we should try and get onto the latest.
>
> I don't think that us aligning ourselves with a tech release in 2013 is
> something we should do.
>
> --Udo
>
> On 11/20/19 9:17 AM, Jens Deppe wrote:
> > Since there appears to be consensus, I'm going to give this thread
> another
> > 24 hours and will then consider this proposal accepted.
> >
> > If anyone does have concerns please do raise them now.
> >
> > Thanks
> > --Jens
> >
> > On Sat, Nov 16, 2019 at 8:17 AM Joris Melchior <jm...@pivotal.io>
> wrote:
> >
> >> +1 for bumping to 3.1
> >>
> >> On Fri, Nov 15, 2019 at 10:27 PM Jacob Barrett <jb...@pivotal.io>
> >> wrote:
> >>
> >>> +1 for 3.1
> >>>
> >>>> On Nov 15, 2019, at 3:08 PM, Jens Deppe <jd...@pivotal.io> wrote:
> >>>>
> >>>> +1 to bumping the documented support to 3.1.
> >>>>
> >>>> The prompting for this proposal is due to this PR which specifically
> >>> wants
> >>>> to utilize a *3.0* API: https://github.com/apache/geode/pull/4311
> >>>>
> >>>> Thus implementing this change will not preclude being able to use the
> >>>> Session Module in a 3.0 container (even if we document support as
> being
> >>>> against 3.1)
> >>>>
> >>>> --Jens
> >>>>
> >>>>> On Fri, Nov 15, 2019 at 2:57 PM John Blum <jb...@pivotal.io> wrote:
> >>>>>
> >>>>> I would minimally bump it to 3.1 then.  Not only does Servlet 3.1
> open
> >>> up
> >>>>> more doors (e.g. NIO), but is also implemented by all current Servlet
> >>>>> Container providers (Tomcat, Jetty, etc).  Additionally, given all
> the
> >>>>> Servlet Containers Jens mentioned at the version that started
> >> supporting
> >>>>> Servlet 3.0 are no longer supported, then 3.1 seems like a
> >>> good/reasonable
> >>>>> target.
> >>>>>
> >>>>> -j
> >>>>>
> >>>>>> On Fri, Nov 15, 2019 at 12:49 PM Dan Smith <ds...@pivotal.io>
> >> wrote:
> >>>>>> +1 to bumping to servlet 3.0.
> >>>>>>
> >>>>>> -Dan
> >>>>>>
> >>>>>> On Fri, Nov 15, 2019 at 12:16 PM Charles Smith <SmithC14@macewan.ca
> >
> >>>>>> wrote:
> >>>>>>
> >>>>>>> Seems to me as long as newer Servlet specs do not deprecate
> >>>>>>> functionality/api that the session module requires AND that the
> >>> session
> >>>>>>> module is not missing any important functionality provided by newer
> >>>>>> Servlet
> >>>>>>> specs that it's best to base support the oldest Servlet spec that
> is
> >>>>>> still
> >>>>>>> supported by active container versions. As Jens nicely enumerated,
> >>> this
> >>>>>>> seems to be Servlet 3.0 right now.
> >>>>>>>
> >>>>>>> At least that's the approach that would give the session management
> >>>>>>> modules the widest audience. I am currently writing a Servlet 4.0
> >> web
> >>>>> app
> >>>>>>> and the Geode session module is working great except that I need to
> >>>>> layer
> >>>>>>> on an additional filter to ensure my session cookies are secure.
> >>>>>>>
> >>>>>>>
> >>>>>>> --
> >>>>>>>
> >>>>>>> Charles Smith
> >>>>>>>
> >>>>>>> Developer/Analyst
> >>>>>>>
> >>>>>>> Web Architecture and Development
> >>>>>>> MacEwan University
> >>>>>>> smithc14@macewan.ca
> >>>>>>>
> >>>>>>>
> >>>>>>> ________________________________
> >>>>>>> From: John Blum <jb...@pivotal.io>
> >>>>>>> Sent: Friday, November 15, 2019 11:17 AM
> >>>>>>> To: geode <de...@geode.apache.org>
> >>>>>>> Subject: Re: Proposal to modify Servlet spec support for the HTTP
> >>>>> Session
> >>>>>>> Management Module for AppServers
> >>>>>>>
> >>>>>>> Since the Servlet 3.1 spec is available and the current version is
> >>> 4.0,
> >>>>>> why
> >>>>>>> not consider 3.1 or even 4.0, actually?
> >>>>>>>
> >>>>>>> -j
> >>>>>>>
> >>>>>>> On Fri, Nov 15, 2019 at 8:59 AM Jens Deppe <jd...@pivotal.io>
> >> wrote:
> >>>>>>>> Hello Charles; thanks very much for bringing this up.
> >>>>>>>>
> >>>>>>>> I vote +1 on this proposal.
> >>>>>>>>
> >>>>>>>> Just to add a bit more details for others:
> >>>>>>>>
> >>>>>>>> The 3.0 Servlet Spec was finalized at the end of 2009. The
> >> *earliest*
> >>>>>>>> versions of various containers that supported it are:
> >>>>>>>>
> >>>>>>>>    - Jetty 8 (EOL'd since 11/2014) [1]
> >>>>>>>>    - Tomcat 7 (Version 6 EOL'd 2017) [2]
> >>>>>>>>    - JBoss Web 3.0.0 (version 2.x reached End of Maintenance
> >> 11/2017)
> >>>>>> [3]
> >>>>>>>>    - Websphere 8.0 (End of support 4/2018) [4]
> >>>>>>>>    - Weblogic 12cR1 (Extended Support until 12/2019) [5]
> >>>>>>>>
> >>>>>>>> The implication is that, of these products, there are *no*
> >> currently
> >>>>>>>> supported versions that *do not* support the Servlet 3.0 spec. I
> >>>>>> believe
> >>>>>>> it
> >>>>>>>> is quite safe for us to indicate that the Session Modules are now
> >>>>> only
> >>>>>>>> supported on 3.0 compliant containers.
> >>>>>>>>
> >>>>>>>> --Jens
> >>>>>>>>
> >>>>>>>> [1] -
> >>>>>>>>
> >>
> https://www.eclipse.org/jetty/documentation/current/what-jetty-version.html
> >>>>>>>> [2] - http://tomcat.apache.org/whichversion.html
> >>>>>>>> [3] -
> https://access.redhat.com/support/policy/updates/jboss_notes
> >>>>>>>> [4] -
> >> https://en.wikipedia.org/wiki/IBM_WebSphere_Application_Server
> >>>>>>>> [5] -
> >>>>>>>>
> >>>>>>>>
> >>
> https://www.solstice.com/fwd/survival-guide-to-webspheres-and-weblogics-end-of-life
> >>>>>>>> On Fri, Nov 15, 2019 at 8:11 AM Charles Smith <
> SmithC14@macewan.ca
> >>>>>>> wrote:
> >>>>>>>>> Hello,
> >>>>>>>>>
> >>>>>>>>> The Geode HTTP Session Management Module for AppServers currently
> >>>>>>> states:
> >>>>>>>>> This approach is a generic solution, which is supported by any
> >>>>>>> container
> >>>>>>>>> that implements the Servlet 2.4 specification.
> >>>>>>>>> I would like to suggest that this official support be bumped up
> to
> >>>>>> the
> >>>>>>>>> Servlet 3.0 specification.
> >>>>>>>>>
> >>>>>>>>> There are some important cookie security features missing in the
> >>>>>>> ancient
> >>>>>>>>> Servlet 2.4 spec, namely the secure and httpOnly flags. Bumping
> >>>>>> support
> >>>>>>>> to
> >>>>>>>>> Servlet 3.0 would allow the Geode AppServer session module to
> >>>>>>> inherently
> >>>>>>>>> support these session cookie security features.
> >>>>>>>>>
> >>>>>>>>> I have logged the following Jira issue:
> >>>>>>>>>
> >>>>>>>>> https://issues.apache.org/jira/browse/GEODE-7438
> >>>>>>>>>
> >>>>>>>>> and submitted a pull request that provides the necessary support
> >> if
> >>>>>> the
> >>>>>>>>> Geode community agrees this is a good idea.
> >>>>>>>>>
> >>>>>>>>> And thank you for the excellent Apache Geode project!
> >>>>>>>>>
> >>>>>>>>> --
> >>>>>>>>>
> >>>>>>>>> Charles Smith
> >>>>>>>>>
> >>>>>>>>> Developer/Analyst
> >>>>>>>>>
> >>>>>>>>> Web Architecture and Development
> >>>>>>>>> MacEwan University
> >>>>>>>>> smithc14@macewan.ca
> >>>>>>>>>
> >>>>>>>>>
> >>>>>>>
> >>>>>>> --
> >>>>>>> -John
> >>>>>>> john.blum10101 (skype)
> >>>>>>>
> >>>>>
> >>>>> --
> >>>>> -John
> >>>>> john.blum10101 (skype)
> >>>>>
> >>
> >> --
> >> *Joris Melchior *
> >> CF Engineering
> >> Pivotal Toronto
> >> 416 877 5427
> >>
> >> “Programs must be written for people to read, and only incidentally for
> >> machines to execute.” – *Hal Abelson*
> >> <https://en.wikipedia.org/wiki/Hal_Abelson>
> >>
>

Re: Proposal to modify Servlet spec support for the HTTP Session Management Module for AppServers

[Udo Kohlmeyer <ud...@apache.com>]

I think that we should really be looking at going to 4.0.

It would be compatible with 3.1, but given that 4.0 is standard with 
Java 8 (which already EOL), we should try and get onto the latest.

I don't think that us aligning ourselves with a tech release in 2013 is 
something we should do.

--Udo

On 11/20/19 9:17 AM, Jens Deppe wrote:
> Since there appears to be consensus, I'm going to give this thread another
> 24 hours and will then consider this proposal accepted.
>
> If anyone does have concerns please do raise them now.
>
> Thanks
> --Jens
>
> On Sat, Nov 16, 2019 at 8:17 AM Joris Melchior <jm...@pivotal.io> wrote:
>
>> +1 for bumping to 3.1
>>
>> On Fri, Nov 15, 2019 at 10:27 PM Jacob Barrett <jb...@pivotal.io>
>> wrote:
>>
>>> +1 for 3.1
>>>
>>>> On Nov 15, 2019, at 3:08 PM, Jens Deppe <jd...@pivotal.io> wrote:
>>>>
>>>> +1 to bumping the documented support to 3.1.
>>>>
>>>> The prompting for this proposal is due to this PR which specifically
>>> wants
>>>> to utilize a *3.0* API: https://github.com/apache/geode/pull/4311
>>>>
>>>> Thus implementing this change will not preclude being able to use the
>>>> Session Module in a 3.0 container (even if we document support as being
>>>> against 3.1)
>>>>
>>>> --Jens
>>>>
>>>>> On Fri, Nov 15, 2019 at 2:57 PM John Blum <jb...@pivotal.io> wrote:
>>>>>
>>>>> I would minimally bump it to 3.1 then.  Not only does Servlet 3.1 open
>>> up
>>>>> more doors (e.g. NIO), but is also implemented by all current Servlet
>>>>> Container providers (Tomcat, Jetty, etc).  Additionally, given all the
>>>>> Servlet Containers Jens mentioned at the version that started
>> supporting
>>>>> Servlet 3.0 are no longer supported, then 3.1 seems like a
>>> good/reasonable
>>>>> target.
>>>>>
>>>>> -j
>>>>>
>>>>>> On Fri, Nov 15, 2019 at 12:49 PM Dan Smith <ds...@pivotal.io>
>> wrote:
>>>>>> +1 to bumping to servlet 3.0.
>>>>>>
>>>>>> -Dan
>>>>>>
>>>>>> On Fri, Nov 15, 2019 at 12:16 PM Charles Smith <Sm...@macewan.ca>
>>>>>> wrote:
>>>>>>
>>>>>>> Seems to me as long as newer Servlet specs do not deprecate
>>>>>>> functionality/api that the session module requires AND that the
>>> session
>>>>>>> module is not missing any important functionality provided by newer
>>>>>> Servlet
>>>>>>> specs that it's best to base support the oldest Servlet spec that is
>>>>>> still
>>>>>>> supported by active container versions. As Jens nicely enumerated,
>>> this
>>>>>>> seems to be Servlet 3.0 right now.
>>>>>>>
>>>>>>> At least that's the approach that would give the session management
>>>>>>> modules the widest audience. I am currently writing a Servlet 4.0
>> web
>>>>> app
>>>>>>> and the Geode session module is working great except that I need to
>>>>> layer
>>>>>>> on an additional filter to ensure my session cookies are secure.
>>>>>>>
>>>>>>>
>>>>>>> --
>>>>>>>
>>>>>>> Charles Smith
>>>>>>>
>>>>>>> Developer/Analyst
>>>>>>>
>>>>>>> Web Architecture and Development
>>>>>>> MacEwan University
>>>>>>> smithc14@macewan.ca
>>>>>>>
>>>>>>>
>>>>>>> ________________________________
>>>>>>> From: John Blum <jb...@pivotal.io>
>>>>>>> Sent: Friday, November 15, 2019 11:17 AM
>>>>>>> To: geode <de...@geode.apache.org>
>>>>>>> Subject: Re: Proposal to modify Servlet spec support for the HTTP
>>>>> Session
>>>>>>> Management Module for AppServers
>>>>>>>
>>>>>>> Since the Servlet 3.1 spec is available and the current version is
>>> 4.0,
>>>>>> why
>>>>>>> not consider 3.1 or even 4.0, actually?
>>>>>>>
>>>>>>> -j
>>>>>>>
>>>>>>> On Fri, Nov 15, 2019 at 8:59 AM Jens Deppe <jd...@pivotal.io>
>> wrote:
>>>>>>>> Hello Charles; thanks very much for bringing this up.
>>>>>>>>
>>>>>>>> I vote +1 on this proposal.
>>>>>>>>
>>>>>>>> Just to add a bit more details for others:
>>>>>>>>
>>>>>>>> The 3.0 Servlet Spec was finalized at the end of 2009. The
>> *earliest*
>>>>>>>> versions of various containers that supported it are:
>>>>>>>>
>>>>>>>>    - Jetty 8 (EOL'd since 11/2014) [1]
>>>>>>>>    - Tomcat 7 (Version 6 EOL'd 2017) [2]
>>>>>>>>    - JBoss Web 3.0.0 (version 2.x reached End of Maintenance
>> 11/2017)
>>>>>> [3]
>>>>>>>>    - Websphere 8.0 (End of support 4/2018) [4]
>>>>>>>>    - Weblogic 12cR1 (Extended Support until 12/2019) [5]
>>>>>>>>
>>>>>>>> The implication is that, of these products, there are *no*
>> currently
>>>>>>>> supported versions that *do not* support the Servlet 3.0 spec. I
>>>>>> believe
>>>>>>> it
>>>>>>>> is quite safe for us to indicate that the Session Modules are now
>>>>> only
>>>>>>>> supported on 3.0 compliant containers.
>>>>>>>>
>>>>>>>> --Jens
>>>>>>>>
>>>>>>>> [1] -
>>>>>>>>
>> https://www.eclipse.org/jetty/documentation/current/what-jetty-version.html
>>>>>>>> [2] - http://tomcat.apache.org/whichversion.html
>>>>>>>> [3] - https://access.redhat.com/support/policy/updates/jboss_notes
>>>>>>>> [4] -
>> https://en.wikipedia.org/wiki/IBM_WebSphere_Application_Server
>>>>>>>> [5] -
>>>>>>>>
>>>>>>>>
>> https://www.solstice.com/fwd/survival-guide-to-webspheres-and-weblogics-end-of-life
>>>>>>>> On Fri, Nov 15, 2019 at 8:11 AM Charles Smith <SmithC14@macewan.ca
>>>>>>> wrote:
>>>>>>>>> Hello,
>>>>>>>>>
>>>>>>>>> The Geode HTTP Session Management Module for AppServers currently
>>>>>>> states:
>>>>>>>>> This approach is a generic solution, which is supported by any
>>>>>>> container
>>>>>>>>> that implements the Servlet 2.4 specification.
>>>>>>>>> I would like to suggest that this official support be bumped up to
>>>>>> the
>>>>>>>>> Servlet 3.0 specification.
>>>>>>>>>
>>>>>>>>> There are some important cookie security features missing in the
>>>>>>> ancient
>>>>>>>>> Servlet 2.4 spec, namely the secure and httpOnly flags. Bumping
>>>>>> support
>>>>>>>> to
>>>>>>>>> Servlet 3.0 would allow the Geode AppServer session module to
>>>>>>> inherently
>>>>>>>>> support these session cookie security features.
>>>>>>>>>
>>>>>>>>> I have logged the following Jira issue:
>>>>>>>>>
>>>>>>>>> https://issues.apache.org/jira/browse/GEODE-7438
>>>>>>>>>
>>>>>>>>> and submitted a pull request that provides the necessary support
>> if
>>>>>> the
>>>>>>>>> Geode community agrees this is a good idea.
>>>>>>>>>
>>>>>>>>> And thank you for the excellent Apache Geode project!
>>>>>>>>>
>>>>>>>>> --
>>>>>>>>>
>>>>>>>>> Charles Smith
>>>>>>>>>
>>>>>>>>> Developer/Analyst
>>>>>>>>>
>>>>>>>>> Web Architecture and Development
>>>>>>>>> MacEwan University
>>>>>>>>> smithc14@macewan.ca
>>>>>>>>>
>>>>>>>>>
>>>>>>>
>>>>>>> --
>>>>>>> -John
>>>>>>> john.blum10101 (skype)
>>>>>>>
>>>>>
>>>>> --
>>>>> -John
>>>>> john.blum10101 (skype)
>>>>>
>>
>> --
>> *Joris Melchior *
>> CF Engineering
>> Pivotal Toronto
>> 416 877 5427
>>
>> “Programs must be written for people to read, and only incidentally for
>> machines to execute.” – *Hal Abelson*
>> <https://en.wikipedia.org/wiki/Hal_Abelson>
>>

Re: Proposal to modify Servlet spec support for the HTTP Session Management Module for AppServers

[Jens Deppe <je...@apache.org>]

Since there appears to be consensus, I'm going to give this thread another
24 hours and will then consider this proposal accepted.

If anyone does have concerns please do raise them now.

Thanks
--Jens

On Sat, Nov 16, 2019 at 8:17 AM Joris Melchior <jm...@pivotal.io> wrote:

> +1 for bumping to 3.1
>
> On Fri, Nov 15, 2019 at 10:27 PM Jacob Barrett <jb...@pivotal.io>
> wrote:
>
> > +1 for 3.1
> >
> > > On Nov 15, 2019, at 3:08 PM, Jens Deppe <jd...@pivotal.io> wrote:
> > >
> > > +1 to bumping the documented support to 3.1.
> > >
> > > The prompting for this proposal is due to this PR which specifically
> > wants
> > > to utilize a *3.0* API: https://github.com/apache/geode/pull/4311
> > >
> > > Thus implementing this change will not preclude being able to use the
> > > Session Module in a 3.0 container (even if we document support as being
> > > against 3.1)
> > >
> > > --Jens
> > >
> > >> On Fri, Nov 15, 2019 at 2:57 PM John Blum <jb...@pivotal.io> wrote:
> > >>
> > >> I would minimally bump it to 3.1 then.  Not only does Servlet 3.1 open
> > up
> > >> more doors (e.g. NIO), but is also implemented by all current Servlet
> > >> Container providers (Tomcat, Jetty, etc).  Additionally, given all the
> > >> Servlet Containers Jens mentioned at the version that started
> supporting
> > >> Servlet 3.0 are no longer supported, then 3.1 seems like a
> > good/reasonable
> > >> target.
> > >>
> > >> -j
> > >>
> > >>> On Fri, Nov 15, 2019 at 12:49 PM Dan Smith <ds...@pivotal.io>
> wrote:
> > >>>
> > >>> +1 to bumping to servlet 3.0.
> > >>>
> > >>> -Dan
> > >>>
> > >>> On Fri, Nov 15, 2019 at 12:16 PM Charles Smith <Sm...@macewan.ca>
> > >>> wrote:
> > >>>
> > >>>> Seems to me as long as newer Servlet specs do not deprecate
> > >>>> functionality/api that the session module requires AND that the
> > session
> > >>>> module is not missing any important functionality provided by newer
> > >>> Servlet
> > >>>> specs that it's best to base support the oldest Servlet spec that is
> > >>> still
> > >>>> supported by active container versions. As Jens nicely enumerated,
> > this
> > >>>> seems to be Servlet 3.0 right now.
> > >>>>
> > >>>> At least that's the approach that would give the session management
> > >>>> modules the widest audience. I am currently writing a Servlet 4.0
> web
> > >> app
> > >>>> and the Geode session module is working great except that I need to
> > >> layer
> > >>>> on an additional filter to ensure my session cookies are secure.
> > >>>>
> > >>>>
> > >>>> --
> > >>>>
> > >>>> Charles Smith
> > >>>>
> > >>>> Developer/Analyst
> > >>>>
> > >>>> Web Architecture and Development
> > >>>> MacEwan University
> > >>>> smithc14@macewan.ca
> > >>>>
> > >>>>
> > >>>> ________________________________
> > >>>> From: John Blum <jb...@pivotal.io>
> > >>>> Sent: Friday, November 15, 2019 11:17 AM
> > >>>> To: geode <de...@geode.apache.org>
> > >>>> Subject: Re: Proposal to modify Servlet spec support for the HTTP
> > >> Session
> > >>>> Management Module for AppServers
> > >>>>
> > >>>> Since the Servlet 3.1 spec is available and the current version is
> > 4.0,
> > >>> why
> > >>>> not consider 3.1 or even 4.0, actually?
> > >>>>
> > >>>> -j
> > >>>>
> > >>>> On Fri, Nov 15, 2019 at 8:59 AM Jens Deppe <jd...@pivotal.io>
> wrote:
> > >>>>
> > >>>>> Hello Charles; thanks very much for bringing this up.
> > >>>>>
> > >>>>> I vote +1 on this proposal.
> > >>>>>
> > >>>>> Just to add a bit more details for others:
> > >>>>>
> > >>>>> The 3.0 Servlet Spec was finalized at the end of 2009. The
> *earliest*
> > >>>>> versions of various containers that supported it are:
> > >>>>>
> > >>>>>   - Jetty 8 (EOL'd since 11/2014) [1]
> > >>>>>   - Tomcat 7 (Version 6 EOL'd 2017) [2]
> > >>>>>   - JBoss Web 3.0.0 (version 2.x reached End of Maintenance
> 11/2017)
> > >>> [3]
> > >>>>>   - Websphere 8.0 (End of support 4/2018) [4]
> > >>>>>   - Weblogic 12cR1 (Extended Support until 12/2019) [5]
> > >>>>>
> > >>>>> The implication is that, of these products, there are *no*
> currently
> > >>>>> supported versions that *do not* support the Servlet 3.0 spec. I
> > >>> believe
> > >>>> it
> > >>>>> is quite safe for us to indicate that the Session Modules are now
> > >> only
> > >>>>> supported on 3.0 compliant containers.
> > >>>>>
> > >>>>> --Jens
> > >>>>>
> > >>>>> [1] -
> > >>>>>
> > >>>>
> > >>>
> > >>
> >
> https://www.eclipse.org/jetty/documentation/current/what-jetty-version.html
> > >>>>> [2] - http://tomcat.apache.org/whichversion.html
> > >>>>> [3] - https://access.redhat.com/support/policy/updates/jboss_notes
> > >>>>> [4] -
> https://en.wikipedia.org/wiki/IBM_WebSphere_Application_Server
> > >>>>> [5] -
> > >>>>>
> > >>>>>
> > >>>>
> > >>>
> > >>
> >
> https://www.solstice.com/fwd/survival-guide-to-webspheres-and-weblogics-end-of-life
> > >>>>>
> > >>>>> On Fri, Nov 15, 2019 at 8:11 AM Charles Smith <SmithC14@macewan.ca
> >
> > >>>> wrote:
> > >>>>>
> > >>>>>> Hello,
> > >>>>>>
> > >>>>>> The Geode HTTP Session Management Module for AppServers currently
> > >>>> states:
> > >>>>>> This approach is a generic solution, which is supported by any
> > >>>> container
> > >>>>>> that implements the Servlet 2.4 specification.
> > >>>>>> I would like to suggest that this official support be bumped up to
> > >>> the
> > >>>>>> Servlet 3.0 specification.
> > >>>>>>
> > >>>>>> There are some important cookie security features missing in the
> > >>>> ancient
> > >>>>>> Servlet 2.4 spec, namely the secure and httpOnly flags. Bumping
> > >>> support
> > >>>>> to
> > >>>>>> Servlet 3.0 would allow the Geode AppServer session module to
> > >>>> inherently
> > >>>>>> support these session cookie security features.
> > >>>>>>
> > >>>>>> I have logged the following Jira issue:
> > >>>>>>
> > >>>>>> https://issues.apache.org/jira/browse/GEODE-7438
> > >>>>>>
> > >>>>>> and submitted a pull request that provides the necessary support
> if
> > >>> the
> > >>>>>> Geode community agrees this is a good idea.
> > >>>>>>
> > >>>>>> And thank you for the excellent Apache Geode project!
> > >>>>>>
> > >>>>>> --
> > >>>>>>
> > >>>>>> Charles Smith
> > >>>>>>
> > >>>>>> Developer/Analyst
> > >>>>>>
> > >>>>>> Web Architecture and Development
> > >>>>>> MacEwan University
> > >>>>>> smithc14@macewan.ca
> > >>>>>>
> > >>>>>>
> > >>>>>
> > >>>>
> > >>>>
> > >>>> --
> > >>>> -John
> > >>>> john.blum10101 (skype)
> > >>>>
> > >>>
> > >>
> > >>
> > >> --
> > >> -John
> > >> john.blum10101 (skype)
> > >>
> >
>
>
> --
> *Joris Melchior *
> CF Engineering
> Pivotal Toronto
> 416 877 5427
>
> “Programs must be written for people to read, and only incidentally for
> machines to execute.” – *Hal Abelson*
> <https://en.wikipedia.org/wiki/Hal_Abelson>
>

Re: Proposal to modify Servlet spec support for the HTTP Session Management Module for AppServers

[Joris Melchior <jm...@pivotal.io>]

+1 for bumping to 3.1

On Fri, Nov 15, 2019 at 10:27 PM Jacob Barrett <jb...@pivotal.io> wrote:

> +1 for 3.1
>
> > On Nov 15, 2019, at 3:08 PM, Jens Deppe <jd...@pivotal.io> wrote:
> >
> > +1 to bumping the documented support to 3.1.
> >
> > The prompting for this proposal is due to this PR which specifically
> wants
> > to utilize a *3.0* API: https://github.com/apache/geode/pull/4311
> >
> > Thus implementing this change will not preclude being able to use the
> > Session Module in a 3.0 container (even if we document support as being
> > against 3.1)
> >
> > --Jens
> >
> >> On Fri, Nov 15, 2019 at 2:57 PM John Blum <jb...@pivotal.io> wrote:
> >>
> >> I would minimally bump it to 3.1 then.  Not only does Servlet 3.1 open
> up
> >> more doors (e.g. NIO), but is also implemented by all current Servlet
> >> Container providers (Tomcat, Jetty, etc).  Additionally, given all the
> >> Servlet Containers Jens mentioned at the version that started supporting
> >> Servlet 3.0 are no longer supported, then 3.1 seems like a
> good/reasonable
> >> target.
> >>
> >> -j
> >>
> >>> On Fri, Nov 15, 2019 at 12:49 PM Dan Smith <ds...@pivotal.io> wrote:
> >>>
> >>> +1 to bumping to servlet 3.0.
> >>>
> >>> -Dan
> >>>
> >>> On Fri, Nov 15, 2019 at 12:16 PM Charles Smith <Sm...@macewan.ca>
> >>> wrote:
> >>>
> >>>> Seems to me as long as newer Servlet specs do not deprecate
> >>>> functionality/api that the session module requires AND that the
> session
> >>>> module is not missing any important functionality provided by newer
> >>> Servlet
> >>>> specs that it's best to base support the oldest Servlet spec that is
> >>> still
> >>>> supported by active container versions. As Jens nicely enumerated,
> this
> >>>> seems to be Servlet 3.0 right now.
> >>>>
> >>>> At least that's the approach that would give the session management
> >>>> modules the widest audience. I am currently writing a Servlet 4.0 web
> >> app
> >>>> and the Geode session module is working great except that I need to
> >> layer
> >>>> on an additional filter to ensure my session cookies are secure.
> >>>>
> >>>>
> >>>> --
> >>>>
> >>>> Charles Smith
> >>>>
> >>>> Developer/Analyst
> >>>>
> >>>> Web Architecture and Development
> >>>> MacEwan University
> >>>> smithc14@macewan.ca
> >>>>
> >>>>
> >>>> ________________________________
> >>>> From: John Blum <jb...@pivotal.io>
> >>>> Sent: Friday, November 15, 2019 11:17 AM
> >>>> To: geode <de...@geode.apache.org>
> >>>> Subject: Re: Proposal to modify Servlet spec support for the HTTP
> >> Session
> >>>> Management Module for AppServers
> >>>>
> >>>> Since the Servlet 3.1 spec is available and the current version is
> 4.0,
> >>> why
> >>>> not consider 3.1 or even 4.0, actually?
> >>>>
> >>>> -j
> >>>>
> >>>> On Fri, Nov 15, 2019 at 8:59 AM Jens Deppe <jd...@pivotal.io> wrote:
> >>>>
> >>>>> Hello Charles; thanks very much for bringing this up.
> >>>>>
> >>>>> I vote +1 on this proposal.
> >>>>>
> >>>>> Just to add a bit more details for others:
> >>>>>
> >>>>> The 3.0 Servlet Spec was finalized at the end of 2009. The *earliest*
> >>>>> versions of various containers that supported it are:
> >>>>>
> >>>>>   - Jetty 8 (EOL'd since 11/2014) [1]
> >>>>>   - Tomcat 7 (Version 6 EOL'd 2017) [2]
> >>>>>   - JBoss Web 3.0.0 (version 2.x reached End of Maintenance 11/2017)
> >>> [3]
> >>>>>   - Websphere 8.0 (End of support 4/2018) [4]
> >>>>>   - Weblogic 12cR1 (Extended Support until 12/2019) [5]
> >>>>>
> >>>>> The implication is that, of these products, there are *no* currently
> >>>>> supported versions that *do not* support the Servlet 3.0 spec. I
> >>> believe
> >>>> it
> >>>>> is quite safe for us to indicate that the Session Modules are now
> >> only
> >>>>> supported on 3.0 compliant containers.
> >>>>>
> >>>>> --Jens
> >>>>>
> >>>>> [1] -
> >>>>>
> >>>>
> >>>
> >>
> https://www.eclipse.org/jetty/documentation/current/what-jetty-version.html
> >>>>> [2] - http://tomcat.apache.org/whichversion.html
> >>>>> [3] - https://access.redhat.com/support/policy/updates/jboss_notes
> >>>>> [4] - https://en.wikipedia.org/wiki/IBM_WebSphere_Application_Server
> >>>>> [5] -
> >>>>>
> >>>>>
> >>>>
> >>>
> >>
> https://www.solstice.com/fwd/survival-guide-to-webspheres-and-weblogics-end-of-life
> >>>>>
> >>>>> On Fri, Nov 15, 2019 at 8:11 AM Charles Smith <Sm...@macewan.ca>
> >>>> wrote:
> >>>>>
> >>>>>> Hello,
> >>>>>>
> >>>>>> The Geode HTTP Session Management Module for AppServers currently
> >>>> states:
> >>>>>> This approach is a generic solution, which is supported by any
> >>>> container
> >>>>>> that implements the Servlet 2.4 specification.
> >>>>>> I would like to suggest that this official support be bumped up to
> >>> the
> >>>>>> Servlet 3.0 specification.
> >>>>>>
> >>>>>> There are some important cookie security features missing in the
> >>>> ancient
> >>>>>> Servlet 2.4 spec, namely the secure and httpOnly flags. Bumping
> >>> support
> >>>>> to
> >>>>>> Servlet 3.0 would allow the Geode AppServer session module to
> >>>> inherently
> >>>>>> support these session cookie security features.
> >>>>>>
> >>>>>> I have logged the following Jira issue:
> >>>>>>
> >>>>>> https://issues.apache.org/jira/browse/GEODE-7438
> >>>>>>
> >>>>>> and submitted a pull request that provides the necessary support if
> >>> the
> >>>>>> Geode community agrees this is a good idea.
> >>>>>>
> >>>>>> And thank you for the excellent Apache Geode project!
> >>>>>>
> >>>>>> --
> >>>>>>
> >>>>>> Charles Smith
> >>>>>>
> >>>>>> Developer/Analyst
> >>>>>>
> >>>>>> Web Architecture and Development
> >>>>>> MacEwan University
> >>>>>> smithc14@macewan.ca
> >>>>>>
> >>>>>>
> >>>>>
> >>>>
> >>>>
> >>>> --
> >>>> -John
> >>>> john.blum10101 (skype)
> >>>>
> >>>
> >>
> >>
> >> --
> >> -John
> >> john.blum10101 (skype)
> >>
>


-- 
*Joris Melchior *
CF Engineering
Pivotal Toronto
416 877 5427

“Programs must be written for people to read, and only incidentally for
machines to execute.” – *Hal Abelson*
<https://en.wikipedia.org/wiki/Hal_Abelson>

Re: Proposal to modify Servlet spec support for the HTTP Session Management Module for AppServers

[Jacob Barrett <jb...@pivotal.io>]

+1 for 3.1

> On Nov 15, 2019, at 3:08 PM, Jens Deppe <jd...@pivotal.io> wrote:
> 
> +1 to bumping the documented support to 3.1.
> 
> The prompting for this proposal is due to this PR which specifically wants
> to utilize a *3.0* API: https://github.com/apache/geode/pull/4311
> 
> Thus implementing this change will not preclude being able to use the
> Session Module in a 3.0 container (even if we document support as being
> against 3.1)
> 
> --Jens
> 
>> On Fri, Nov 15, 2019 at 2:57 PM John Blum <jb...@pivotal.io> wrote:
>> 
>> I would minimally bump it to 3.1 then.  Not only does Servlet 3.1 open up
>> more doors (e.g. NIO), but is also implemented by all current Servlet
>> Container providers (Tomcat, Jetty, etc).  Additionally, given all the
>> Servlet Containers Jens mentioned at the version that started supporting
>> Servlet 3.0 are no longer supported, then 3.1 seems like a good/reasonable
>> target.
>> 
>> -j
>> 
>>> On Fri, Nov 15, 2019 at 12:49 PM Dan Smith <ds...@pivotal.io> wrote:
>>> 
>>> +1 to bumping to servlet 3.0.
>>> 
>>> -Dan
>>> 
>>> On Fri, Nov 15, 2019 at 12:16 PM Charles Smith <Sm...@macewan.ca>
>>> wrote:
>>> 
>>>> Seems to me as long as newer Servlet specs do not deprecate
>>>> functionality/api that the session module requires AND that the session
>>>> module is not missing any important functionality provided by newer
>>> Servlet
>>>> specs that it's best to base support the oldest Servlet spec that is
>>> still
>>>> supported by active container versions. As Jens nicely enumerated, this
>>>> seems to be Servlet 3.0 right now.
>>>> 
>>>> At least that's the approach that would give the session management
>>>> modules the widest audience. I am currently writing a Servlet 4.0 web
>> app
>>>> and the Geode session module is working great except that I need to
>> layer
>>>> on an additional filter to ensure my session cookies are secure.
>>>> 
>>>> 
>>>> --
>>>> 
>>>> Charles Smith
>>>> 
>>>> Developer/Analyst
>>>> 
>>>> Web Architecture and Development
>>>> MacEwan University
>>>> smithc14@macewan.ca
>>>> 
>>>> 
>>>> ________________________________
>>>> From: John Blum <jb...@pivotal.io>
>>>> Sent: Friday, November 15, 2019 11:17 AM
>>>> To: geode <de...@geode.apache.org>
>>>> Subject: Re: Proposal to modify Servlet spec support for the HTTP
>> Session
>>>> Management Module for AppServers
>>>> 
>>>> Since the Servlet 3.1 spec is available and the current version is 4.0,
>>> why
>>>> not consider 3.1 or even 4.0, actually?
>>>> 
>>>> -j
>>>> 
>>>> On Fri, Nov 15, 2019 at 8:59 AM Jens Deppe <jd...@pivotal.io> wrote:
>>>> 
>>>>> Hello Charles; thanks very much for bringing this up.
>>>>> 
>>>>> I vote +1 on this proposal.
>>>>> 
>>>>> Just to add a bit more details for others:
>>>>> 
>>>>> The 3.0 Servlet Spec was finalized at the end of 2009. The *earliest*
>>>>> versions of various containers that supported it are:
>>>>> 
>>>>>   - Jetty 8 (EOL'd since 11/2014) [1]
>>>>>   - Tomcat 7 (Version 6 EOL'd 2017) [2]
>>>>>   - JBoss Web 3.0.0 (version 2.x reached End of Maintenance 11/2017)
>>> [3]
>>>>>   - Websphere 8.0 (End of support 4/2018) [4]
>>>>>   - Weblogic 12cR1 (Extended Support until 12/2019) [5]
>>>>> 
>>>>> The implication is that, of these products, there are *no* currently
>>>>> supported versions that *do not* support the Servlet 3.0 spec. I
>>> believe
>>>> it
>>>>> is quite safe for us to indicate that the Session Modules are now
>> only
>>>>> supported on 3.0 compliant containers.
>>>>> 
>>>>> --Jens
>>>>> 
>>>>> [1] -
>>>>> 
>>>> 
>>> 
>> https://www.eclipse.org/jetty/documentation/current/what-jetty-version.html
>>>>> [2] - http://tomcat.apache.org/whichversion.html
>>>>> [3] - https://access.redhat.com/support/policy/updates/jboss_notes
>>>>> [4] - https://en.wikipedia.org/wiki/IBM_WebSphere_Application_Server
>>>>> [5] -
>>>>> 
>>>>> 
>>>> 
>>> 
>> https://www.solstice.com/fwd/survival-guide-to-webspheres-and-weblogics-end-of-life
>>>>> 
>>>>> On Fri, Nov 15, 2019 at 8:11 AM Charles Smith <Sm...@macewan.ca>
>>>> wrote:
>>>>> 
>>>>>> Hello,
>>>>>> 
>>>>>> The Geode HTTP Session Management Module for AppServers currently
>>>> states:
>>>>>> This approach is a generic solution, which is supported by any
>>>> container
>>>>>> that implements the Servlet 2.4 specification.
>>>>>> I would like to suggest that this official support be bumped up to
>>> the
>>>>>> Servlet 3.0 specification.
>>>>>> 
>>>>>> There are some important cookie security features missing in the
>>>> ancient
>>>>>> Servlet 2.4 spec, namely the secure and httpOnly flags. Bumping
>>> support
>>>>> to
>>>>>> Servlet 3.0 would allow the Geode AppServer session module to
>>>> inherently
>>>>>> support these session cookie security features.
>>>>>> 
>>>>>> I have logged the following Jira issue:
>>>>>> 
>>>>>> https://issues.apache.org/jira/browse/GEODE-7438
>>>>>> 
>>>>>> and submitted a pull request that provides the necessary support if
>>> the
>>>>>> Geode community agrees this is a good idea.
>>>>>> 
>>>>>> And thank you for the excellent Apache Geode project!
>>>>>> 
>>>>>> --
>>>>>> 
>>>>>> Charles Smith
>>>>>> 
>>>>>> Developer/Analyst
>>>>>> 
>>>>>> Web Architecture and Development
>>>>>> MacEwan University
>>>>>> smithc14@macewan.ca
>>>>>> 
>>>>>> 
>>>>> 
>>>> 
>>>> 
>>>> --
>>>> -John
>>>> john.blum10101 (skype)
>>>> 
>>> 
>> 
>> 
>> --
>> -John
>> john.blum10101 (skype)
>> 

Re: Proposal to modify Servlet spec support for the HTTP Session Management Module for AppServers

[Jens Deppe <jd...@pivotal.io>]

+1 to bumping the documented support to 3.1.

The prompting for this proposal is due to this PR which specifically wants
to utilize a *3.0* API: https://github.com/apache/geode/pull/4311

Thus implementing this change will not preclude being able to use the
Session Module in a 3.0 container (even if we document support as being
against 3.1)

--Jens

On Fri, Nov 15, 2019 at 2:57 PM John Blum <jb...@pivotal.io> wrote:

> I would minimally bump it to 3.1 then.  Not only does Servlet 3.1 open up
> more doors (e.g. NIO), but is also implemented by all current Servlet
> Container providers (Tomcat, Jetty, etc).  Additionally, given all the
> Servlet Containers Jens mentioned at the version that started supporting
> Servlet 3.0 are no longer supported, then 3.1 seems like a good/reasonable
> target.
>
> -j
>
> On Fri, Nov 15, 2019 at 12:49 PM Dan Smith <ds...@pivotal.io> wrote:
>
> > +1 to bumping to servlet 3.0.
> >
> > -Dan
> >
> > On Fri, Nov 15, 2019 at 12:16 PM Charles Smith <Sm...@macewan.ca>
> > wrote:
> >
> > > Seems to me as long as newer Servlet specs do not deprecate
> > > functionality/api that the session module requires AND that the session
> > > module is not missing any important functionality provided by newer
> > Servlet
> > > specs that it's best to base support the oldest Servlet spec that is
> > still
> > > supported by active container versions. As Jens nicely enumerated, this
> > > seems to be Servlet 3.0 right now.
> > >
> > > At least that's the approach that would give the session management
> > > modules the widest audience. I am currently writing a Servlet 4.0 web
> app
> > > and the Geode session module is working great except that I need to
> layer
> > > on an additional filter to ensure my session cookies are secure.
> > >
> > >
> > > --
> > >
> > > Charles Smith
> > >
> > > Developer/Analyst
> > >
> > > Web Architecture and Development
> > > MacEwan University
> > > smithc14@macewan.ca
> > >
> > >
> > > ________________________________
> > > From: John Blum <jb...@pivotal.io>
> > > Sent: Friday, November 15, 2019 11:17 AM
> > > To: geode <de...@geode.apache.org>
> > > Subject: Re: Proposal to modify Servlet spec support for the HTTP
> Session
> > > Management Module for AppServers
> > >
> > > Since the Servlet 3.1 spec is available and the current version is 4.0,
> > why
> > > not consider 3.1 or even 4.0, actually?
> > >
> > > -j
> > >
> > > On Fri, Nov 15, 2019 at 8:59 AM Jens Deppe <jd...@pivotal.io> wrote:
> > >
> > > > Hello Charles; thanks very much for bringing this up.
> > > >
> > > > I vote +1 on this proposal.
> > > >
> > > > Just to add a bit more details for others:
> > > >
> > > > The 3.0 Servlet Spec was finalized at the end of 2009. The *earliest*
> > > > versions of various containers that supported it are:
> > > >
> > > >    - Jetty 8 (EOL'd since 11/2014) [1]
> > > >    - Tomcat 7 (Version 6 EOL'd 2017) [2]
> > > >    - JBoss Web 3.0.0 (version 2.x reached End of Maintenance 11/2017)
> > [3]
> > > >    - Websphere 8.0 (End of support 4/2018) [4]
> > > >    - Weblogic 12cR1 (Extended Support until 12/2019) [5]
> > > >
> > > > The implication is that, of these products, there are *no* currently
> > > > supported versions that *do not* support the Servlet 3.0 spec. I
> > believe
> > > it
> > > > is quite safe for us to indicate that the Session Modules are now
> only
> > > > supported on 3.0 compliant containers.
> > > >
> > > > --Jens
> > > >
> > > > [1] -
> > > >
> > >
> >
> https://www.eclipse.org/jetty/documentation/current/what-jetty-version.html
> > > > [2] - http://tomcat.apache.org/whichversion.html
> > > > [3] - https://access.redhat.com/support/policy/updates/jboss_notes
> > > > [4] - https://en.wikipedia.org/wiki/IBM_WebSphere_Application_Server
> > > > [5] -
> > > >
> > > >
> > >
> >
> https://www.solstice.com/fwd/survival-guide-to-webspheres-and-weblogics-end-of-life
> > > >
> > > > On Fri, Nov 15, 2019 at 8:11 AM Charles Smith <Sm...@macewan.ca>
> > > wrote:
> > > >
> > > > > Hello,
> > > > >
> > > > > The Geode HTTP Session Management Module for AppServers currently
> > > states:
> > > > > This approach is a generic solution, which is supported by any
> > > container
> > > > > that implements the Servlet 2.4 specification.
> > > > > I would like to suggest that this official support be bumped up to
> > the
> > > > > Servlet 3.0 specification.
> > > > >
> > > > > There are some important cookie security features missing in the
> > > ancient
> > > > > Servlet 2.4 spec, namely the secure and httpOnly flags. Bumping
> > support
> > > > to
> > > > > Servlet 3.0 would allow the Geode AppServer session module to
> > > inherently
> > > > > support these session cookie security features.
> > > > >
> > > > > I have logged the following Jira issue:
> > > > >
> > > > > https://issues.apache.org/jira/browse/GEODE-7438
> > > > >
> > > > > and submitted a pull request that provides the necessary support if
> > the
> > > > > Geode community agrees this is a good idea.
> > > > >
> > > > > And thank you for the excellent Apache Geode project!
> > > > >
> > > > > --
> > > > >
> > > > > Charles Smith
> > > > >
> > > > > Developer/Analyst
> > > > >
> > > > > Web Architecture and Development
> > > > > MacEwan University
> > > > > smithc14@macewan.ca
> > > > >
> > > > >
> > > >
> > >
> > >
> > > --
> > > -John
> > > john.blum10101 (skype)
> > >
> >
>
>
> --
> -John
> john.blum10101 (skype)
>

Re: Proposal to modify Servlet spec support for the HTTP Session Management Module for AppServers

[John Blum <jb...@pivotal.io>]

1 more thing...

You can provide additional/dedicated support for newer versions (e.g.
Servlet 4.0) without (unduly) sacrificing backwards compatibility.  This is
done by many popular Java frameworks in fact, which also simultaneously
constitute a minimum baseline (e.g. Servlet 3.1).  Be current and
compatible where it makes sense.  Servlet 3.1 is a very powerful and
logical choice at this particular point in time.

FYR...

Apache Tomcat:
https://docs.spring.io/spring-boot-data-geode-build/1.2.x/reference/html5/
Eclipse Jetty:
https://www.eclipse.org/jetty/documentation/current/what-jetty-version.html
Undertow:
http://undertow.io/undertow-docs/undertow-docs-1.3.0/index.html#getting-undertow
... http://undertow.io/



On Fri, Nov 15, 2019 at 2:57 PM John Blum <jb...@pivotal.io> wrote:

> I would minimally bump it to 3.1 then.  Not only does Servlet 3.1 open up
> more doors (e.g. NIO), but is also implemented by all current Servlet
> Container providers (Tomcat, Jetty, etc).  Additionally, given all the
> Servlet Containers Jens mentioned at the version that started supporting
> Servlet 3.0 are no longer supported, then 3.1 seems like a good/reasonable
> target.
>
> -j
>
> On Fri, Nov 15, 2019 at 12:49 PM Dan Smith <ds...@pivotal.io> wrote:
>
>> +1 to bumping to servlet 3.0.
>>
>> -Dan
>>
>> On Fri, Nov 15, 2019 at 12:16 PM Charles Smith <Sm...@macewan.ca>
>> wrote:
>>
>> > Seems to me as long as newer Servlet specs do not deprecate
>> > functionality/api that the session module requires AND that the session
>> > module is not missing any important functionality provided by newer
>> Servlet
>> > specs that it's best to base support the oldest Servlet spec that is
>> still
>> > supported by active container versions. As Jens nicely enumerated, this
>> > seems to be Servlet 3.0 right now.
>> >
>> > At least that's the approach that would give the session management
>> > modules the widest audience. I am currently writing a Servlet 4.0 web
>> app
>> > and the Geode session module is working great except that I need to
>> layer
>> > on an additional filter to ensure my session cookies are secure.
>> >
>> >
>> > --
>> >
>> > Charles Smith
>> >
>> > Developer/Analyst
>> >
>> > Web Architecture and Development
>> > MacEwan University
>> > smithc14@macewan.ca
>> >
>> >
>> > ________________________________
>> > From: John Blum <jb...@pivotal.io>
>> > Sent: Friday, November 15, 2019 11:17 AM
>> > To: geode <de...@geode.apache.org>
>> > Subject: Re: Proposal to modify Servlet spec support for the HTTP
>> Session
>> > Management Module for AppServers
>> >
>> > Since the Servlet 3.1 spec is available and the current version is 4.0,
>> why
>> > not consider 3.1 or even 4.0, actually?
>> >
>> > -j
>> >
>> > On Fri, Nov 15, 2019 at 8:59 AM Jens Deppe <jd...@pivotal.io> wrote:
>> >
>> > > Hello Charles; thanks very much for bringing this up.
>> > >
>> > > I vote +1 on this proposal.
>> > >
>> > > Just to add a bit more details for others:
>> > >
>> > > The 3.0 Servlet Spec was finalized at the end of 2009. The *earliest*
>> > > versions of various containers that supported it are:
>> > >
>> > >    - Jetty 8 (EOL'd since 11/2014) [1]
>> > >    - Tomcat 7 (Version 6 EOL'd 2017) [2]
>> > >    - JBoss Web 3.0.0 (version 2.x reached End of Maintenance 11/2017)
>> [3]
>> > >    - Websphere 8.0 (End of support 4/2018) [4]
>> > >    - Weblogic 12cR1 (Extended Support until 12/2019) [5]
>> > >
>> > > The implication is that, of these products, there are *no* currently
>> > > supported versions that *do not* support the Servlet 3.0 spec. I
>> believe
>> > it
>> > > is quite safe for us to indicate that the Session Modules are now only
>> > > supported on 3.0 compliant containers.
>> > >
>> > > --Jens
>> > >
>> > > [1] -
>> > >
>> >
>> https://www.eclipse.org/jetty/documentation/current/what-jetty-version.html
>> > > [2] - http://tomcat.apache.org/whichversion.html
>> > > [3] - https://access.redhat.com/support/policy/updates/jboss_notes
>> > > [4] - https://en.wikipedia.org/wiki/IBM_WebSphere_Application_Server
>> > > [5] -
>> > >
>> > >
>> >
>> https://www.solstice.com/fwd/survival-guide-to-webspheres-and-weblogics-end-of-life
>> > >
>> > > On Fri, Nov 15, 2019 at 8:11 AM Charles Smith <Sm...@macewan.ca>
>> > wrote:
>> > >
>> > > > Hello,
>> > > >
>> > > > The Geode HTTP Session Management Module for AppServers currently
>> > states:
>> > > > This approach is a generic solution, which is supported by any
>> > container
>> > > > that implements the Servlet 2.4 specification.
>> > > > I would like to suggest that this official support be bumped up to
>> the
>> > > > Servlet 3.0 specification.
>> > > >
>> > > > There are some important cookie security features missing in the
>> > ancient
>> > > > Servlet 2.4 spec, namely the secure and httpOnly flags. Bumping
>> support
>> > > to
>> > > > Servlet 3.0 would allow the Geode AppServer session module to
>> > inherently
>> > > > support these session cookie security features.
>> > > >
>> > > > I have logged the following Jira issue:
>> > > >
>> > > > https://issues.apache.org/jira/browse/GEODE-7438
>> > > >
>> > > > and submitted a pull request that provides the necessary support if
>> the
>> > > > Geode community agrees this is a good idea.
>> > > >
>> > > > And thank you for the excellent Apache Geode project!
>> > > >
>> > > > --
>> > > >
>> > > > Charles Smith
>> > > >
>> > > > Developer/Analyst
>> > > >
>> > > > Web Architecture and Development
>> > > > MacEwan University
>> > > > smithc14@macewan.ca
>> > > >
>> > > >
>> > >
>> >
>> >
>> > --
>> > -John
>> > john.blum10101 (skype)
>> >
>>
>
>
> --
> -John
> john.blum10101 (skype)
>


-- 
-John
john.blum10101 (skype)

Re: Proposal to modify Servlet spec support for the HTTP Session Management Module for AppServers

[John Blum <jb...@pivotal.io>]

I would minimally bump it to 3.1 then.  Not only does Servlet 3.1 open up
more doors (e.g. NIO), but is also implemented by all current Servlet
Container providers (Tomcat, Jetty, etc).  Additionally, given all the
Servlet Containers Jens mentioned at the version that started supporting
Servlet 3.0 are no longer supported, then 3.1 seems like a good/reasonable
target.

-j

On Fri, Nov 15, 2019 at 12:49 PM Dan Smith <ds...@pivotal.io> wrote:

> +1 to bumping to servlet 3.0.
>
> -Dan
>
> On Fri, Nov 15, 2019 at 12:16 PM Charles Smith <Sm...@macewan.ca>
> wrote:
>
> > Seems to me as long as newer Servlet specs do not deprecate
> > functionality/api that the session module requires AND that the session
> > module is not missing any important functionality provided by newer
> Servlet
> > specs that it's best to base support the oldest Servlet spec that is
> still
> > supported by active container versions. As Jens nicely enumerated, this
> > seems to be Servlet 3.0 right now.
> >
> > At least that's the approach that would give the session management
> > modules the widest audience. I am currently writing a Servlet 4.0 web app
> > and the Geode session module is working great except that I need to layer
> > on an additional filter to ensure my session cookies are secure.
> >
> >
> > --
> >
> > Charles Smith
> >
> > Developer/Analyst
> >
> > Web Architecture and Development
> > MacEwan University
> > smithc14@macewan.ca
> >
> >
> > ________________________________
> > From: John Blum <jb...@pivotal.io>
> > Sent: Friday, November 15, 2019 11:17 AM
> > To: geode <de...@geode.apache.org>
> > Subject: Re: Proposal to modify Servlet spec support for the HTTP Session
> > Management Module for AppServers
> >
> > Since the Servlet 3.1 spec is available and the current version is 4.0,
> why
> > not consider 3.1 or even 4.0, actually?
> >
> > -j
> >
> > On Fri, Nov 15, 2019 at 8:59 AM Jens Deppe <jd...@pivotal.io> wrote:
> >
> > > Hello Charles; thanks very much for bringing this up.
> > >
> > > I vote +1 on this proposal.
> > >
> > > Just to add a bit more details for others:
> > >
> > > The 3.0 Servlet Spec was finalized at the end of 2009. The *earliest*
> > > versions of various containers that supported it are:
> > >
> > >    - Jetty 8 (EOL'd since 11/2014) [1]
> > >    - Tomcat 7 (Version 6 EOL'd 2017) [2]
> > >    - JBoss Web 3.0.0 (version 2.x reached End of Maintenance 11/2017)
> [3]
> > >    - Websphere 8.0 (End of support 4/2018) [4]
> > >    - Weblogic 12cR1 (Extended Support until 12/2019) [5]
> > >
> > > The implication is that, of these products, there are *no* currently
> > > supported versions that *do not* support the Servlet 3.0 spec. I
> believe
> > it
> > > is quite safe for us to indicate that the Session Modules are now only
> > > supported on 3.0 compliant containers.
> > >
> > > --Jens
> > >
> > > [1] -
> > >
> >
> https://www.eclipse.org/jetty/documentation/current/what-jetty-version.html
> > > [2] - http://tomcat.apache.org/whichversion.html
> > > [3] - https://access.redhat.com/support/policy/updates/jboss_notes
> > > [4] - https://en.wikipedia.org/wiki/IBM_WebSphere_Application_Server
> > > [5] -
> > >
> > >
> >
> https://www.solstice.com/fwd/survival-guide-to-webspheres-and-weblogics-end-of-life
> > >
> > > On Fri, Nov 15, 2019 at 8:11 AM Charles Smith <Sm...@macewan.ca>
> > wrote:
> > >
> > > > Hello,
> > > >
> > > > The Geode HTTP Session Management Module for AppServers currently
> > states:
> > > > This approach is a generic solution, which is supported by any
> > container
> > > > that implements the Servlet 2.4 specification.
> > > > I would like to suggest that this official support be bumped up to
> the
> > > > Servlet 3.0 specification.
> > > >
> > > > There are some important cookie security features missing in the
> > ancient
> > > > Servlet 2.4 spec, namely the secure and httpOnly flags. Bumping
> support
> > > to
> > > > Servlet 3.0 would allow the Geode AppServer session module to
> > inherently
> > > > support these session cookie security features.
> > > >
> > > > I have logged the following Jira issue:
> > > >
> > > > https://issues.apache.org/jira/browse/GEODE-7438
> > > >
> > > > and submitted a pull request that provides the necessary support if
> the
> > > > Geode community agrees this is a good idea.
> > > >
> > > > And thank you for the excellent Apache Geode project!
> > > >
> > > > --
> > > >
> > > > Charles Smith
> > > >
> > > > Developer/Analyst
> > > >
> > > > Web Architecture and Development
> > > > MacEwan University
> > > > smithc14@macewan.ca
> > > >
> > > >
> > >
> >
> >
> > --
> > -John
> > john.blum10101 (skype)
> >
>


-- 
-John
john.blum10101 (skype)

Re: Proposal to modify Servlet spec support for the HTTP Session Management Module for AppServers

[Dan Smith <ds...@pivotal.io>]

+1 to bumping to servlet 3.0.

-Dan

On Fri, Nov 15, 2019 at 12:16 PM Charles Smith <Sm...@macewan.ca> wrote:

> Seems to me as long as newer Servlet specs do not deprecate
> functionality/api that the session module requires AND that the session
> module is not missing any important functionality provided by newer Servlet
> specs that it's best to base support the oldest Servlet spec that is still
> supported by active container versions. As Jens nicely enumerated, this
> seems to be Servlet 3.0 right now.
>
> At least that's the approach that would give the session management
> modules the widest audience. I am currently writing a Servlet 4.0 web app
> and the Geode session module is working great except that I need to layer
> on an additional filter to ensure my session cookies are secure.
>
>
> --
>
> Charles Smith
>
> Developer/Analyst
>
> Web Architecture and Development
> MacEwan University
> smithc14@macewan.ca
>
>
> ________________________________
> From: John Blum <jb...@pivotal.io>
> Sent: Friday, November 15, 2019 11:17 AM
> To: geode <de...@geode.apache.org>
> Subject: Re: Proposal to modify Servlet spec support for the HTTP Session
> Management Module for AppServers
>
> Since the Servlet 3.1 spec is available and the current version is 4.0, why
> not consider 3.1 or even 4.0, actually?
>
> -j
>
> On Fri, Nov 15, 2019 at 8:59 AM Jens Deppe <jd...@pivotal.io> wrote:
>
> > Hello Charles; thanks very much for bringing this up.
> >
> > I vote +1 on this proposal.
> >
> > Just to add a bit more details for others:
> >
> > The 3.0 Servlet Spec was finalized at the end of 2009. The *earliest*
> > versions of various containers that supported it are:
> >
> >    - Jetty 8 (EOL'd since 11/2014) [1]
> >    - Tomcat 7 (Version 6 EOL'd 2017) [2]
> >    - JBoss Web 3.0.0 (version 2.x reached End of Maintenance 11/2017) [3]
> >    - Websphere 8.0 (End of support 4/2018) [4]
> >    - Weblogic 12cR1 (Extended Support until 12/2019) [5]
> >
> > The implication is that, of these products, there are *no* currently
> > supported versions that *do not* support the Servlet 3.0 spec. I believe
> it
> > is quite safe for us to indicate that the Session Modules are now only
> > supported on 3.0 compliant containers.
> >
> > --Jens
> >
> > [1] -
> >
> https://www.eclipse.org/jetty/documentation/current/what-jetty-version.html
> > [2] - http://tomcat.apache.org/whichversion.html
> > [3] - https://access.redhat.com/support/policy/updates/jboss_notes
> > [4] - https://en.wikipedia.org/wiki/IBM_WebSphere_Application_Server
> > [5] -
> >
> >
> https://www.solstice.com/fwd/survival-guide-to-webspheres-and-weblogics-end-of-life
> >
> > On Fri, Nov 15, 2019 at 8:11 AM Charles Smith <Sm...@macewan.ca>
> wrote:
> >
> > > Hello,
> > >
> > > The Geode HTTP Session Management Module for AppServers currently
> states:
> > > This approach is a generic solution, which is supported by any
> container
> > > that implements the Servlet 2.4 specification.
> > > I would like to suggest that this official support be bumped up to the
> > > Servlet 3.0 specification.
> > >
> > > There are some important cookie security features missing in the
> ancient
> > > Servlet 2.4 spec, namely the secure and httpOnly flags. Bumping support
> > to
> > > Servlet 3.0 would allow the Geode AppServer session module to
> inherently
> > > support these session cookie security features.
> > >
> > > I have logged the following Jira issue:
> > >
> > > https://issues.apache.org/jira/browse/GEODE-7438
> > >
> > > and submitted a pull request that provides the necessary support if the
> > > Geode community agrees this is a good idea.
> > >
> > > And thank you for the excellent Apache Geode project!
> > >
> > > --
> > >
> > > Charles Smith
> > >
> > > Developer/Analyst
> > >
> > > Web Architecture and Development
> > > MacEwan University
> > > smithc14@macewan.ca
> > >
> > >
> >
>
>
> --
> -John
> john.blum10101 (skype)
>

Re: Proposal to modify Servlet spec support for the HTTP Session Management Module for AppServers

[Charles Smith <Sm...@macewan.ca>]

Seems to me as long as newer Servlet specs do not deprecate functionality/api that the session module requires AND that the session module is not missing any important functionality provided by newer Servlet specs that it's best to base support the oldest Servlet spec that is still supported by active container versions. As Jens nicely enumerated, this seems to be Servlet 3.0 right now.

At least that's the approach that would give the session management modules the widest audience. I am currently writing a Servlet 4.0 web app and the Geode session module is working great except that I need to layer on an additional filter to ensure my session cookies are secure.


--

Charles Smith

Developer/Analyst

Web Architecture and Development
MacEwan University
smithc14@macewan.ca


________________________________
From: John Blum <jb...@pivotal.io>
Sent: Friday, November 15, 2019 11:17 AM
To: geode <de...@geode.apache.org>
Subject: Re: Proposal to modify Servlet spec support for the HTTP Session Management Module for AppServers

Since the Servlet 3.1 spec is available and the current version is 4.0, why
not consider 3.1 or even 4.0, actually?

-j

On Fri, Nov 15, 2019 at 8:59 AM Jens Deppe <jd...@pivotal.io> wrote:

> Hello Charles; thanks very much for bringing this up.
>
> I vote +1 on this proposal.
>
> Just to add a bit more details for others:
>
> The 3.0 Servlet Spec was finalized at the end of 2009. The *earliest*
> versions of various containers that supported it are:
>
>    - Jetty 8 (EOL'd since 11/2014) [1]
>    - Tomcat 7 (Version 6 EOL'd 2017) [2]
>    - JBoss Web 3.0.0 (version 2.x reached End of Maintenance 11/2017) [3]
>    - Websphere 8.0 (End of support 4/2018) [4]
>    - Weblogic 12cR1 (Extended Support until 12/2019) [5]
>
> The implication is that, of these products, there are *no* currently
> supported versions that *do not* support the Servlet 3.0 spec. I believe it
> is quite safe for us to indicate that the Session Modules are now only
> supported on 3.0 compliant containers.
>
> --Jens
>
> [1] -
> https://www.eclipse.org/jetty/documentation/current/what-jetty-version.html
> [2] - http://tomcat.apache.org/whichversion.html
> [3] - https://access.redhat.com/support/policy/updates/jboss_notes
> [4] - https://en.wikipedia.org/wiki/IBM_WebSphere_Application_Server
> [5] -
>
> https://www.solstice.com/fwd/survival-guide-to-webspheres-and-weblogics-end-of-life
>
> On Fri, Nov 15, 2019 at 8:11 AM Charles Smith <Sm...@macewan.ca> wrote:
>
> > Hello,
> >
> > The Geode HTTP Session Management Module for AppServers currently states:
> > This approach is a generic solution, which is supported by any container
> > that implements the Servlet 2.4 specification.
> > I would like to suggest that this official support be bumped up to the
> > Servlet 3.0 specification.
> >
> > There are some important cookie security features missing in the ancient
> > Servlet 2.4 spec, namely the secure and httpOnly flags. Bumping support
> to
> > Servlet 3.0 would allow the Geode AppServer session module to inherently
> > support these session cookie security features.
> >
> > I have logged the following Jira issue:
> >
> > https://issues.apache.org/jira/browse/GEODE-7438
> >
> > and submitted a pull request that provides the necessary support if the
> > Geode community agrees this is a good idea.
> >
> > And thank you for the excellent Apache Geode project!
> >
> > --
> >
> > Charles Smith
> >
> > Developer/Analyst
> >
> > Web Architecture and Development
> > MacEwan University
> > smithc14@macewan.ca
> >
> >
>


--
-John
john.blum10101 (skype)

Re: Proposal to modify Servlet spec support for the HTTP Session Management Module for AppServers

[John Blum <jb...@pivotal.io>]

Since the Servlet 3.1 spec is available and the current version is 4.0, why
not consider 3.1 or even 4.0, actually?

-j

On Fri, Nov 15, 2019 at 8:59 AM Jens Deppe <jd...@pivotal.io> wrote:

> Hello Charles; thanks very much for bringing this up.
>
> I vote +1 on this proposal.
>
> Just to add a bit more details for others:
>
> The 3.0 Servlet Spec was finalized at the end of 2009. The *earliest*
> versions of various containers that supported it are:
>
>    - Jetty 8 (EOL'd since 11/2014) [1]
>    - Tomcat 7 (Version 6 EOL'd 2017) [2]
>    - JBoss Web 3.0.0 (version 2.x reached End of Maintenance 11/2017) [3]
>    - Websphere 8.0 (End of support 4/2018) [4]
>    - Weblogic 12cR1 (Extended Support until 12/2019) [5]
>
> The implication is that, of these products, there are *no* currently
> supported versions that *do not* support the Servlet 3.0 spec. I believe it
> is quite safe for us to indicate that the Session Modules are now only
> supported on 3.0 compliant containers.
>
> --Jens
>
> [1] -
> https://www.eclipse.org/jetty/documentation/current/what-jetty-version.html
> [2] - http://tomcat.apache.org/whichversion.html
> [3] - https://access.redhat.com/support/policy/updates/jboss_notes
> [4] - https://en.wikipedia.org/wiki/IBM_WebSphere_Application_Server
> [5] -
>
> https://www.solstice.com/fwd/survival-guide-to-webspheres-and-weblogics-end-of-life
>
> On Fri, Nov 15, 2019 at 8:11 AM Charles Smith <Sm...@macewan.ca> wrote:
>
> > Hello,
> >
> > The Geode HTTP Session Management Module for AppServers currently states:
> > This approach is a generic solution, which is supported by any container
> > that implements the Servlet 2.4 specification.
> > I would like to suggest that this official support be bumped up to the
> > Servlet 3.0 specification.
> >
> > There are some important cookie security features missing in the ancient
> > Servlet 2.4 spec, namely the secure and httpOnly flags. Bumping support
> to
> > Servlet 3.0 would allow the Geode AppServer session module to inherently
> > support these session cookie security features.
> >
> > I have logged the following Jira issue:
> >
> > https://issues.apache.org/jira/browse/GEODE-7438
> >
> > and submitted a pull request that provides the necessary support if the
> > Geode community agrees this is a good idea.
> >
> > And thank you for the excellent Apache Geode project!
> >
> > --
> >
> > Charles Smith
> >
> > Developer/Analyst
> >
> > Web Architecture and Development
> > MacEwan University
> > smithc14@macewan.ca
> >
> >
>


-- 
-John
john.blum10101 (skype)

Re: Proposal to modify Servlet spec support for the HTTP Session Management Module for AppServers

[Jens Deppe <jd...@pivotal.io>]

Hello Charles; thanks very much for bringing this up.

I vote +1 on this proposal.

Just to add a bit more details for others:

The 3.0 Servlet Spec was finalized at the end of 2009. The *earliest*
versions of various containers that supported it are:

   - Jetty 8 (EOL'd since 11/2014) [1]
   - Tomcat 7 (Version 6 EOL'd 2017) [2]
   - JBoss Web 3.0.0 (version 2.x reached End of Maintenance 11/2017) [3]
   - Websphere 8.0 (End of support 4/2018) [4]
   - Weblogic 12cR1 (Extended Support until 12/2019) [5]

The implication is that, of these products, there are *no* currently
supported versions that *do not* support the Servlet 3.0 spec. I believe it
is quite safe for us to indicate that the Session Modules are now only
supported on 3.0 compliant containers.

--Jens

[1] -
https://www.eclipse.org/jetty/documentation/current/what-jetty-version.html
[2] - http://tomcat.apache.org/whichversion.html
[3] - https://access.redhat.com/support/policy/updates/jboss_notes
[4] - https://en.wikipedia.org/wiki/IBM_WebSphere_Application_Server
[5] -
https://www.solstice.com/fwd/survival-guide-to-webspheres-and-weblogics-end-of-life

On Fri, Nov 15, 2019 at 8:11 AM Charles Smith <Sm...@macewan.ca> wrote:

> Hello,
>
> The Geode HTTP Session Management Module for AppServers currently states:
> This approach is a generic solution, which is supported by any container
> that implements the Servlet 2.4 specification.
> I would like to suggest that this official support be bumped up to the
> Servlet 3.0 specification.
>
> There are some important cookie security features missing in the ancient
> Servlet 2.4 spec, namely the secure and httpOnly flags. Bumping support to
> Servlet 3.0 would allow the Geode AppServer session module to inherently
> support these session cookie security features.
>
> I have logged the following Jira issue:
>
> https://issues.apache.org/jira/browse/GEODE-7438
>
> and submitted a pull request that provides the necessary support if the
> Geode community agrees this is a good idea.
>
> And thank you for the excellent Apache Geode project!
>
> --
>
> Charles Smith
>
> Developer/Analyst
>
> Web Architecture and Development
> MacEwan University
> smithc14@macewan.ca
>
>