IDP on Tomcat 8.5.x

[Cantor, Scott]

> I found an issue (IDP-1028) that came from a session problem reported to
> the mailing list:
> 
>    http://shibboleth.1660669.n2.nabble.com/HttpSession-
> NullPointerException-on-Apache-Tomcat-8-5-4-td7627069.html

That's what the note refers to, it should be more explicit.

> But otherwise, I don't see widespread reports of problems with Tomcat
> v8.5.

I don't know how much its been used. My uninformed sense is that it's a bad release. They were waiting for 9 and then decided to do one of those backporting exercises to try and get stuff out sooner, and it seems to include a "not final" version of whatever the next servlet spec is going to be, and that all sort of made me feel like I wasn't shocked that the sessions were buggy. And that's about the worst place to be suspicious with software like this.

> Is it safe to upgrade to Tomcat v8.5.14?

I have literally no idea but my opinion is that it's not, based solely on the fact that it was broken for one person and that's all I need to see from a container. Rock solid, or get out. This is not a piece of software I think is worth trying to "live with" when there are demonstrably better alternatives.

Jetty continues to try and prove me wrong with regressions, so I'm not sure I like any of them at the moment but the regressions of late have been pretty harmless.

-- Scott