On 08/02/2013 19:49, Rajiv Mordani wrote:
> Mark,
> Ron has driven the security issues for servlet spec for both 3.0
> and 3.1 work so I am on board with the proposed solution from Ron at
> least to close
> the gap in the short term. We can revisit the more detailed security model
> changes in a future revision of the spec.
>
> - Rajiv
Rajiv,
The discussion with Ron on the Servlet EG list over what exactly would
be in Servlet 3.1 took place in October last year. That discussion
appeared to reach agreement on the following points:
1. Logging should be required.
2. If logging was required, remeditation could be a container feature.
Given Bill Shannon's recent post to the Servlet EG the discussion has
clearly been continuing without the Servlet EG. Please could you clarify
(particularly with respect to the above two points) what you intend
adding to Servlet 3.1.
As I have previously stated, I believe 1) is essential regardless of the
approach taken for remediation.
Regarding 2) I'd be happy if remediation was left as a container feature
(as previously agreed with Ron in October last year) or included in the
specification as an optional feature / recommendation much like JSR 196
support is currently or HTTPS support was in the past.
Mark