jsr369-experts@servlet-spec.java.net

[jsr369-experts] Re: Proposed fundamental spec change: require h2c and h2

From: Wenbo Zhu <wenboz_at_google.com>
Date: Thu, 13 Apr 2017 16:50:40 -0700

On Thu, Apr 13, 2017 at 1:07 PM, Edward Burns <edward.burns_at_oracle.com>
wrote:

> Hello Volunteers,
>
> Section 1.2 of our spec PDF says:
>
> All servlet containers must support HTTP as a protocol for requests
> and responses, but additional request/response-based protocols such as
> HTTPS (HTTP over SSL) may be supported. The required versions of the
> HTTP specification that a container must implement are HTTP/1.1 and
> HTTP/2. When supporting HTTP/2, servlet containers must support the
> "h2" protocol identifier (as specified in section 3.1 of the HTTP/2
> RFC). This implies all servlet containers must support ALPN. Servlet
> containers are not required to support the "h2c" protocol identifier
> (as specified in section 3.1 of the HTTP/2 RFC).
>
> I propose we amend this to require h2c, not just have it optional. This
> gives the following revised text:
>
> All servlet containers must support HTTP as a protocol for requests
> and responses, but additional request/response-based protocols such as
> HTTPS (HTTP over SSL) may be supported. The required versions of the
> HTTP specification that a container must implement are HTTP/1.1 and
> HTTP/2. When supporting HTTP/2, servlet containers must support the
> "h2" and "h2c" protocol identifiers (as specified in section 3.1 of
> the HTTP/2 RFC). This implies all servlet containers must support
> ALPN.
>
> I know there are all these arguments from PHK and others about moving
> the world away from the potential of government interference, but
> considering that many users deploy Servlets enitrely within secure data
> centers, not requiring h2c is a mistake in my opinion.
>
I believe they were arguing against h2 (i.e. TLS everywhere). Anyhow, +1 on
this change.

>
> I suspect most impls already do h2 and h2c anyway. I know GlassFish
> does.
>
> ACTION: Please respond by start of business Tuesday 18 April 2017. No
> response means this proposal is ok.
>
> Thanks,
>
> Ed
>
>
> --
> | edward.burns_at_oracle.com | office: +1 407 458 0017
> | 6 business days until planned start of Servlet 4.0 Public Review
>