users@servlet-spec.java.net

[servlet-spec users] Re: session(-less) applications

From: Edward Burns <edward.burns_at_oracle.com>
Date: Mon, 8 Dec 2014 14:10:00 -0800

>>>>> On Wed, 26 Nov 2014 06:39:49 +0000, Yannick Majoros <yannick.majoros_at_gmail.com> said:

YM> Hello,
YM> A couple of weeks ago, I wrote this message in the Java EE users mailing
YM> list. Bill Shannon suggested that it would be interesting to post it here.

It sure was interesting! Lots of folks coming out of the woodwork on
this one.

Yannick Majoros "[servlet-spec users] session(-less) applications"
Mark Thomas "[servlet-spec users] Re: session(-less) applications"
Stuart Douglas "[servlet-spec users] Re: session(-less) applications"
arjan tijms "[servlet-spec users] Re: session(-less) applications"
Greg Wilkins "[servlet-spec users] Re: session(-less) applications"
Martin Grigorov "[servlet-spec users] Re: session(-less) applications"
Remy Maucherat "[servlet-spec users] Re: session(-less) applications"
Mark Struberg "[servlet-spec users] Re: session(-less) applications"

I hate to have had all this excellent discussion and end up doing
nothing, though sometimes that is indeed the right decision. Let's
entertain Mark Thomas's suggestions:

>>>>> On Wed, 26 Nov 2014 12:17:58 +0000, Mark Thomas <markt_at_apache.org> said:

MT> I think it makes sense for some wording to be added to section 13.6 of
MT> the Servlet spec to:
MT> - make clearer which authentication mechanisms (FORM) are expected to
MT> create HTTP sessions (I assume everyone is creating HTTP sessions
MT> to handle FORM auth)

Section 13.6.3.1 currently does say:

Spec> Form based login should only be used when sessions are being
Spec> maintained by cookies or by SSL session information.

Need we say more?

MT> - highlight the pros/cons of creating sessions rather than
MT> authenticating on every request

Can someone suggest some text for this purpose? I've listed this as an
Adopt-a-JSR task for JSR-369: <https://jcp.org/en/egc/view?id=369>. We
could also include Greg's idea about using an HttpSessionListener to aid
in this sort of work.

MT> - recommend that containers that create sessions purely to cache the
MT> results of authentication provide a mechanism to disable that

We've seen how worthwhile "MAY" statements are in the spec. Just refer
to Arjan's thread about JASPIC (still waiting for a resolution on that
one by the way) being no longer optional for Servlet to see the problems
that can be created by MAY statements.

So, after reading the interesting messages of this thread, I think the
concrete action may be to just add a little bit of spec text.

Ed

-- 
| edward.burns_at_oracle.com | office: +1 407 458 0017
| 56 days til DevNexus 2015
| 66 days til JavaLand 2015
| 76 days til CONFESS 2015