Do we want to jump to JDK 1.5 (was: Re: [GUMP@brutus]: Project mina (in module mina) failed)

[Alex Karasulu <ao...@bellsouth.net>]

I think we need to make a decision about whether or not we want to 
support JDK 1.5 and what this means for backwords compatability. 

What are the pros and cons at this point? 

I don't think its practical using the server without SSL so I don't mind 
jumping to 1.5.  If it does not happen today it will in the next 6 
months I think. 

I still have not started using the new features that arrived in 1.4 :( 
but this is another story.

Alex

Trustin Lee wrote:

>Hi,
>
>On Tue, 08 Mar 2005 08:59:11 -0800, Brett Porter <br...@apache.org> wrote:
>  
>
>>Gump currently runs on JDK 1.4, and there is also a 1.5 build nightly.
>>
>>Do you require Java 5, and is that wise? I thought the min requirements
>>would be 1.4.
>>    
>>
>
>MINA requires Java 5 only for SSL support.  It runs OK in 1.4 if you
>don't use SSL. :)
>
>Trustin
>  
>

RE: Do we want to jump to JDK 1.5 (was: Re: [GUMP@brutus]: Project mina (in module mina) failed)

["Noel J. Bergman" <no...@devtech.com>]

> > For Internet use, try www.stunnel.org

> +1

> People can also forward ports with SSH if they want a secure tunnel.

The difference is that stunnel is a proxy, and is totally transparent to
both the client and server process.

	--- Noel

Re: Do we want to jump to JDK 1.5 (was: Re: [GUMP@brutus]: Project mina (in module mina) failed)

[Brennan Stehling <of...@gmail.com>]

> For Internet use, try www.stunnel.org if you don't have access to a current
> JVM.
> 
>         --- Noel

+1

People can also forward ports with SSH if they want a secure tunnel. 
I do that for remote MySQL connections to get passed my firewall to
port 3306.

-- 
Brennan Stehling : http://brennan.offwhite.net/blog/

RE: Do we want to jump to JDK 1.5 (was: Re: [GUMP@brutus]: Project mina (in module mina) failed)

["Noel J. Bergman" <no...@devtech.com>]

> SSL may be a desired feature, but if I am simply going to use
> Apache DS to look up LDAP information via localhost and not
> over the internet I am not very concerned about SSL protection.

For Internet use, try www.stunnel.org if you don't have access to a current
JVM.

	--- Noel

Re: Do we want to jump to JDK 1.5 (was: Re: [GUMP@brutus]: Project mina (in module mina) failed)

[Brennan Stehling <of...@gmail.com>]

> What are the pros and cons at this point?

I feel that requiring 1.5 will decrease the possible install base
dramatically.  In many corporate environments development will lag
behind and require an older JRE.  In these environments 1.5 is not
even on the radar since 1.3 or 1.4 is in place and working.

Consider that Apple is still at 1.4 with JRE 1.5 coming with OS X
10.4.  No Mac owners will be able to run Apache DS if 1.5 is required.

Also for people who host services with an ISP they must go with what
the ISP provides and moving to 1.5 is not as simple as asking the ISP
to upgrade.

And since I personally run FreeBSD I will not be able to run JRE 1.5
as it is currently marked as pre-alpha.  I am still feeling that 1.4
on FreeBSD is a bit shaky.  SSL may be a desired feature, but if I am
simply going to use Apache DS to look up LDAP information via
localhost and not over the internet I am not very concerned about SSL
protection.

If we consider the competition to this application, such as OpenLDAP
and Bind 9, we already have a smaller possible install base.  Those
services are C programs which have been ported to many platforms while
Apache DS can only run on JRE capable systems.  Sun only provides a
JRE for a select few platforms and Apple, FreeBSD and other platforms
have to fend for themselves.  And they always lag behind the Sun
releases.

So right now the possible installed platforms for JRE 1.5 would be
Windows and Linux when they are lucky enough to get be up to date. 
And many Java developers I have been talking with feel that there is
not compelling reason to move to 1.5 so they remain at 1.4.

-- 
Brennan Stehling : http://brennan.offwhite.net/blog/

RE: Do we want to jump to JDK 1.5

["Noel J. Bergman" <no...@devtech.com>]

Remember that the JVM chosen is for the server, not the clients.  If there
are things we need to deliver a robust server, whose clients may not even be
Java-based, that should be the criteria.

	--- Noel

Re: Do we want to jump to JDK 1.5

[Enrique Rodriguez <er...@apache.org>]

Alex Karasulu wrote:
> David Boreham wrote:
> 
>>> IMO, a big risk to adoption. Is it really not possible to do the SSL 
>>> in 1.4?
>>
>> Yeah, I'd like to learn more about the problem with SSL in 1.4 myself.
>>
>> Requiring Java 5 seems a little painful right now : I don't have any
>> clients that are able to use it.
> 
> Very reasonable points.
> Dave could you look and see if we can back port the SSL filter so it 
> works on 1.4?
> If we can make it work on 1.4 then it is the most comfortable to stay on 
> 1.4.  However if I have to choose between having SSL and not ... I'd 
> move to 1.5 to have it.

1.5 also has built-in support for SASL, which I would use to add 
Kerberos support to the LDAP wire protocol.

I'm also looking forward to the built-in Triple DES encryption types, 
though I am currently getting them from BouncyCastle.  I could drop the 
BC requirement with 1.5, though, admittedly, that's a weak "nice to 
have."  There are some other JAAS enhancements that would help SSO:

http://java.sun.com/j2se/1.5.0/docs/guide/security/jgss/jgss-tiger.html

That "Top Ten" list Alex sent yesterday means we'll be at this for a 
while ... realistically, what enterprise is going to make a major move 
to ApacheDS any time soon?

I am personally for 1.5 but will defer in a second if we actually have 
customers.

-enrique


> 
> Alex

Re: Do we want to jump to JDK 1.5

[Alex Karasulu <ao...@bellsouth.net>]

David Boreham wrote:

>> IMO, a big risk to adoption. Is it really not possible to do the SSL 
>> in 1.4?
>
>
> Yeah, I'd like to learn more about the problem with SSL in 1.4 myself.
>
> Requiring Java 5 seems a little painful right now : I don't have any
> clients that are able to use it.

Very reasonable points. 

Dave could you look and see if we can back port the SSL filter so it 
works on 1.4? 

If we can make it work on 1.4 then it is the most comfortable to stay on 
1.4.  However if I have to choose between having SSL and not ... I'd 
move to 1.5 to have it.

Alex

Re: Do we want to jump to JDK 1.5

[David Boreham <da...@bozemanpass.com>]

> IMO, a big risk to adoption. Is it really not possible to do the SSL in 
> 1.4?

Yeah, I'd like to learn more about the problem with SSL in 1.4 myself.

Requiring Java 5 seems a little painful right now : I don't have any
clients that are able to use it.

Re: Do we want to jump to JDK 1.5

[Brett Porter <br...@apache.org>]

IMO, a big risk to adoption. Is it really not possible to do the SSL in 1.4?

Other than that, requiring JDK 5 for certain features but not the base 
server is pretty reasonable.

- Brett

Alex Karasulu wrote:

> I think we need to make a decision about whether or not we want to 
> support JDK 1.5 and what this means for backwords compatability.
> What are the pros and cons at this point?
> I don't think its practical using the server without SSL so I don't 
> mind jumping to 1.5.  If it does not happen today it will in the next 
> 6 months I think.
> I still have not started using the new features that arrived in 1.4 :( 
> but this is another story.
>
> Alex

Re: Do we want to jump to JDK 1.5 (was: Re: [GUMP@brutus]: Project mina (in module mina) failed)

[Trustin Lee <tr...@gmail.com>]

Hi,

On Tue, 08 Mar 2005 12:13:29 -0500, Alex Karasulu <ao...@bellsouth.net> wrote:
> I think we need to make a decision about whether or not we want to
> support JDK 1.5 and what this means for backwords compatability.
> 
> What are the pros and cons at this point?
> 
> I don't think its practical using the server without SSL so I don't mind
> jumping to 1.5.  If it does not happen today it will in the next 6
> months I think.
> 
> I still have not started using the new features that arrived in 1.4 :(
> but this is another story.

If we want SSL support for JDK 1.4, we'll have to program our own
SSLEngine which is tough. :)  But I don't think it is impossible. 
People must have not tried this because it is already there in Java 5.

What matters is the time it takes.

Trustin
-- 
what we call human nature is actually human habit
--
http://gleamynode.net/

Re: Do we want to jump to JDK 1.5

[Enrique Rodriguez <er...@apache.org>]

Alex Karasulu wrote:
> Brett Porter wrote:
> 
>> If this is correct, it still sounds best to me that we attempt to 
>> modularise that support so that it can run on 1.4 without SSL support, 
>> or run on 5.0 with SSL support turned on.
> 
> 
> +1 I totally agree - leave the decision to the user.

+1, mina-addons or whatever.  Hopefully we'll get more contributions 
like SSL.  Maybe Trustin can move the Netty2 support there, as well, so 
the MINA-core doesn't have the dep on tl-netty2.

-enrique

> 
>>
>> - Brett
>>
>> David Boreham wrote:
>>
>>>> Does Tomcat run SSL on JRE 1.4?  If so, can we copy what they are 
>>>> doing?
>>>
>>>
>>>
>>>
>>> SSL support has been in the JRE for a long time.
>>> That's not the point of discussion here.
>>> The issue is that Apache DS (or really mina) is designed around the 
>>> new 'nio' I/O architecture.
>>> Aparently there is no good SSL support for
>>> nio before Java 5.
>>>
>>> So basically it boils down to this: SSL could be
>>> supported with JRE 1.4, but to do so would mean
>>> significant work and (I would guess) lower performance.
>>>
>>> Did I get that right ?
>>>
>>>
>>
>>

Re: Do we want to jump to JDK 1.5 (was: Re: [GUMP@brutus]: Project mina (in module mina) failed)

[Alex Karasulu <ao...@bellsouth.net>]

Brett Porter wrote:

> If this is correct, it still sounds best to me that we attempt to 
> modularise that support so that it can run on 1.4 without SSL support, 
> or run on 5.0 with SSL support turned on.

+1 I totally agree - leave the decision to the user.

>
> - Brett
>
> David Boreham wrote:
>
>>> Does Tomcat run SSL on JRE 1.4?  If so, can we copy what they are 
>>> doing?
>>
>>
>>
>> SSL support has been in the JRE for a long time.
>> That's not the point of discussion here.
>> The issue is that Apache DS (or really mina) is designed around the 
>> new 'nio' I/O architecture.
>> Aparently there is no good SSL support for
>> nio before Java 5.
>>
>> So basically it boils down to this: SSL could be
>> supported with JRE 1.4, but to do so would mean
>> significant work and (I would guess) lower performance.
>>
>> Did I get that right ?
>>
>>
>
>

Re: Do we want to jump to JDK 1.5 (was: Re: [GUMP@brutus]: Project mina (in module mina) failed)

[Vincent Tence <vt...@videotron.ca>]

Noel J. Bergman wrote:
>>I'd hate to butcher MINA just for 1.4 compat and SSL
> 
> 
> Just stick with NIO, and require Java 5 for anyone who wants to configure
> SSL support.
> 
> 	--- Noel
> 

+1

Makes sense to me as well. We need to focus on the highest priority items.

-- Vincent

RE: Do we want to jump to JDK 1.5 (was: Re: [GUMP@brutus]: Project mina (in module mina) failed)

["Noel J. Bergman" <no...@devtech.com>]

> I'd hate to butcher MINA just for 1.4 compat and SSL

Just stick with NIO, and require Java 5 for anyone who wants to configure
SSL support.

	--- Noel

Re: Do we want to jump to JDK 1.5 (was: Re: [GUMP@brutus]: Project mina (in module mina) failed)

[Brennan Stehling <of...@gmail.com>]

I feel that an initial setup without an upgrade requirement would be
helpful for anyone who is trying Apache DS for the first time.  It
will allow them to try it out without added work.

If they are trying it for use in a corporate environment they will
need to be able to set up a quick and dirty demo with their current
environment to show to the suits.  It does not have to be totally
secure if they are just using mock user accounts for testing and we
could stress that in the setup instructions.

Once they realize the benefits of Apache DS they will have reason to
do the upgrade to JRE 1.5.

Brennan

On Tue, 08 Mar 2005 16:23:00 -0500, Alex Karasulu <ao...@bellsouth.net> wrote:
> David Boreham wrote:
> 
> >
> >
> >> If this is correct, it still sounds best to me that we attempt to
> >> modularise that support so that it can run on 1.4 without SSL
> >> support, or run on 5.0 with SSL support turned on.
> >
> >
> > Well yes. But an LDAP server without SSL is
> > of quite limited use in production.
> 
> I have a feeling those using it in prod will use it with jdk 1.5 if they
> can do that at all.
> 
> Oh and btw answering your previous question yes using SSL in 1.4 can be
> done but you loose all the gains from NIO.  This is not a good idea with
> a statefull protocol.  Just think we'll need a thread per client to
> track SSL IO rather than using a selector in NIO.  This will make the
> server terribly inefficient as we increase the number of concurrent
> connections.  Without NIO stateful protocols don't have a chance in Java
> land.
> 
> However it should be fine when concurrency is low.  I'd hate to butcher
> MINA just for 1.4 compat and SSL.  Regardless its worth inquiring.
> Trustin do you think there is a way this can be done without creating a
> mess or a massive effort?
> 
> 
> Alex
> 
> 


-- 
Brennan Stehling : http://brennan.offwhite.net/blog/

Re: Do we want to jump to JDK 1.5 (was: Re: [GUMP@brutus]: Project mina (in module mina) failed)

[David Boreham <da...@bozemanpass.com>]

> Oh and btw answering your previous question yes using SSL in 1.4 can be 
> done but you loose all the gains from NIO.  This is not a good idea with 
> a statefull protocol.  Just think we'll need a thread per client to 
> track SSL IO rather than using a selector in NIO.  This will make the 
> server terribly inefficient as we increase the number of concurrent 
> connections.  Without NIO stateful protocols don't have a chance in Java 
> land.

Yes. I'd much rather have nio and SSL but require Java 5,
than no nio and Java 1.4.

Re: Do we want to jump to JDK 1.5 (was: Re: [GUMP@brutus]: Project mina (in module mina) failed)

[Alex Karasulu <ao...@bellsouth.net>]

David Boreham wrote:

>
>
>> If this is correct, it still sounds best to me that we attempt to 
>> modularise that support so that it can run on 1.4 without SSL 
>> support, or run on 5.0 with SSL support turned on.
>
>
> Well yes. But an LDAP server without SSL is
> of quite limited use in production.


I have a feeling those using it in prod will use it with jdk 1.5 if they 
can do that at all.


Oh and btw answering your previous question yes using SSL in 1.4 can be 
done but you loose all the gains from NIO.  This is not a good idea with 
a statefull protocol.  Just think we'll need a thread per client to 
track SSL IO rather than using a selector in NIO.  This will make the 
server terribly inefficient as we increase the number of concurrent 
connections.  Without NIO stateful protocols don't have a chance in Java 
land.


However it should be fine when concurrency is low.  I'd hate to butcher 
MINA just for 1.4 compat and SSL.  Regardless its worth inquiring.  
Trustin do you think there is a way this can be done without creating a 
mess or a massive effort?


Alex

Re: Do we want to jump to JDK 1.5 (was: Re: [GUMP@brutus]: Project mina (in module mina) failed)

[David Boreham <da...@bozemanpass.com>]

> If this is correct, it still sounds best to me that we attempt to 
> modularise that support so that it can run on 1.4 without SSL support, 
> or run on 5.0 with SSL support turned on.

Well yes. But an LDAP server without SSL is
of quite limited use in production.

Re: Do we want to jump to JDK 1.5 (was: Re: [GUMP@brutus]: Project mina (in module mina) failed)

[Brett Porter <br...@apache.org>]

If this is correct, it still sounds best to me that we attempt to 
modularise that support so that it can run on 1.4 without SSL support, 
or run on 5.0 with SSL support turned on.

- Brett

David Boreham wrote:

>> Does Tomcat run SSL on JRE 1.4?  If so, can we copy what they are doing?
>
>
> SSL support has been in the JRE for a long time.
> That's not the point of discussion here.
> The issue is that Apache DS (or really mina) is designed around the 
> new 'nio' I/O architecture.
> Aparently there is no good SSL support for
> nio before Java 5.
>
> So basically it boils down to this: SSL could be
> supported with JRE 1.4, but to do so would mean
> significant work and (I would guess) lower performance.
>
> Did I get that right ?
>
>

Re: Do we want to jump to JDK 1.5 (was: Re: [GUMP@brutus]: Project mina (in module mina) failed)

[David Boreham <da...@bozemanpass.com>]

> Does Tomcat run SSL on JRE 1.4?  If so, can we copy what they are doing?

SSL support has been in the JRE for a long time.
That's not the point of discussion here.
The issue is that Apache DS (or really mina) 
is designed around the new 'nio' I/O architecture.
Aparently there is no good SSL support for
nio before Java 5.

So basically it boils down to this: SSL could be
supported with JRE 1.4, but to do so would mean
significant work and (I would guess) lower performance.

Did I get that right ? 

Re: Do we want to jump to JDK 1.5 (was: Re: [GUMP@brutus]: Project mina (in module mina) failed)

[Brennan Stehling <of...@gmail.com>]

Does Tomcat run SSL on JRE 1.4?  If so, can we copy what they are doing?

- Brennan

On Tue, 8 Mar 2005 21:50:42 +0100, Jan Andersson <ja...@minq.se> wrote:
> I don't have an opinion if you should jump to 1.5 or not...
> But regarding:
> 
> > So, I took a look at the SSL patch.
> > Unfortunately I'm not enough of a Java-head to know what about it
> > requires Java 5. Is it that you can't get SSL over nio
> > in Java 1.4 ?
> 
> There is no (good) way to get SSL to work with nio without using
> the SSLEngine, that is new with Java 5. I have searched the web
> and found some hacks that didn't work to well...
> 
> I'm on Mac OS X myself, so I really did look for a solution ;)
> 
> /Janne
> 
> 


-- 
Brennan Stehling : http://brennan.offwhite.net/blog/

Re: Do we want to jump to JDK 1.5 (was: Re: [GUMP@brutus]: Project mina (in module mina) failed)

[Jan Andersson <ja...@minq.se>]

I don't have an opinion if you should jump to 1.5 or not...
But regarding:

> So, I took a look at the SSL patch.
> Unfortunately I'm not enough of a Java-head to know what about it
> requires Java 5. Is it that you can't get SSL over nio
> in Java 1.4 ?

There is no (good) way to get SSL to work with nio without using
the SSLEngine, that is new with Java 5. I have searched the web
and found some hacks that didn't work to well...

I'm on Mac OS X myself, so I really did look for a solution ;)

/Janne

Re: Do we want to jump to JDK 1.5 (was: Re: [GUMP@brutus]: Project mina (in module mina) failed)

[David Boreham <da...@bozemanpass.com>]

So, I took a look at the SSL patch.
Unfortunately I'm not enough of a Java-head to know what about it
requires Java 5. Is it that you can't get SSL over nio
in Java 1.4 ?

RE: Do we want to jump to JDK 1.5 (was: Re: [GUMP@brutus]: Project mina (in module mina) failed)

["Noel J. Bergman" <no...@devtech.com>]

> I still have not started using the new features that arrived in 1.4 :( 
> but this is another story.

Of course you have: nio.

And if you want SSL over nio, that comes in Java 5.

	--- Noel