jsr369-experts@servlet-spec.java.net

[jsr369-experts] Re: [servlet-spec users] Proposed fundamental spec change: require h2c and h2

From: Greg Wilkins <gregw_at_webtide.com>
Date: Sat, 15 Apr 2017 09:16:30 +1000

Ed,

I'm not so sure that requiring a specific protocol is that meaningful. In
the IETF working group discussions about protocols (where quic is being
discussed as the next thing after h2), they frequently use language to talk
about HTTP semantics vs HTTP or other transport protocols.

So perhaps we should just require containers to support the HTTP semantic
as defined by the relevant RFCs and allow flexibility in the protocols used
to transport that semantic.

regards

On 14 Apr. 2017 6:07 am, "Edward Burns" <edward.burns_at_oracle.com> wrote:

> Hello Volunteers,
>
> Section 1.2 of our spec PDF says:
>
> All servlet containers must support HTTP as a protocol for requests
> and responses, but additional request/response-based protocols such as
> HTTPS (HTTP over SSL) may be supported. The required versions of the
> HTTP specification that a container must implement are HTTP/1.1 and
> HTTP/2. When supporting HTTP/2, servlet containers must support the
> "h2" protocol identifier (as specified in section 3.1 of the HTTP/2
> RFC). This implies all servlet containers must support ALPN. Servlet
> containers are not required to support the "h2c" protocol identifier
> (as specified in section 3.1 of the HTTP/2 RFC).
>
> I propose we amend this to require h2c, not just have it optional. This
> gives the following revised text:
>
> All servlet containers must support HTTP as a protocol for requests
> and responses, but additional request/response-based protocols such as
> HTTPS (HTTP over SSL) may be supported. The required versions of the
> HTTP specification that a container must implement are HTTP/1.1 and
> HTTP/2. When supporting HTTP/2, servlet containers must support the
> "h2" and "h2c" protocol identifiers (as specified in section 3.1 of
> the HTTP/2 RFC). This implies all servlet containers must support
> ALPN.
>
> I know there are all these arguments from PHK and others about moving
> the world away from the potential of government interference, but
> considering that many users deploy Servlets enitrely within secure data
> centers, not requiring h2c is a mistake in my opinion.
>
> I suspect most impls already do h2 and h2c anyway. I know GlassFish
> does.
>
> ACTION: Please respond by start of business Tuesday 18 April 2017. No
> response means this proposal is ok.
>
> Thanks,
>
> Ed
>
>
> --
> | edward.burns_at_oracle.com | office: +1 407 458 0017
> | 6 business days until planned start of Servlet 4.0 Public Review
>
© Oracle | By contributing to this project, you are agreeing to the terms of use described here.