[javaee-spec users] Re: [jsr366-experts] clarification: session(-less) applications

From: arjan tijms <>
Date: Tue, 4 Nov 2014 18:05:55 +0100


On Tue, Nov 4, 2014 at 5:00 PM, Yannick Majoros
<> wrote:
> While trying to find out if a server is allowed to create sessions for REST
> services, I didn't find anything in Java EE specifications.
> [...]
> Shouldn't there be a standard way to say that you want to have a stateless application?

I absolutely agree! As a coincidence I was just discussing the exact
same thing here ;)

Currently there's not even a way in Servlet to indicate that you don't
want any sessions. There are some workarounds like installing a filter
that wraps the request and blocking the createSession methods, but A)
that's a somewhat non-obvious and hacky way and B) it doesn't even
work in all situations (a JASPIC auth module for instance sees the
request before a Filter does, so it can create a session before a
Filter gets to intercept it).

So I would propose to have at the very least a Servlet method to
easily disable sessions, but to investigate if it's possible to go one
step further and have some kind of platform wide stateless mode. JSF
for instance can honour that by activating its stateless mode,
authentication modules could perhaps write any state they need to
either a cookie or don't use it. Etc.

There might be some tuning options necessary, but in generally
speaking a platform stateless mode would be great!

Kind regards,