users@javaee-spec.java.net

[javaee-spec users] Re: [jsr366-experts] clarification: session(-less) applications

From: Yannick Majoros <yannick.majoros_at_gmail.com>
Date: Wed, 05 Nov 2014 06:59:22 +0100

Hi,

That would be very welcome. Do you think there should be other
mechanisms to make it work in jax-ws / jax-rs? Should sessions be
disabled until explicitly enabled, or is this dangerous for compatibility?

Thanks,

Yannick

Le 04-11-14 18:05, arjan tijms a écrit :
> I absolutely agree! As a coincidence I was just discussing the exact
> same thing here ;)
>
> Currently there's not even a way in Servlet to indicate that you don't
> want any sessions. There are some workarounds like installing a filter
> that wraps the request and blocking the createSession methods, but A)
> that's a somewhat non-obvious and hacky way and B) it doesn't even
> work in all situations (a JASPIC auth module for instance sees the
> request before a Filter does, so it can create a session before a
> Filter gets to intercept it).
>
> So I would propose to have at the very least a Servlet method to
> easily disable sessions, but to investigate if it's possible to go one
> step further and have some kind of platform wide stateless mode. JSF
> for instance can honour that by activating its stateless mode,
> authentication modules could perhaps write any state they need to
> either a cookie or don't use it. Etc.
>
> There might be some tuning options necessary, but in generally
> speaking a platform stateless mode would be great!
>
> Kind regards,
> Arjan