IDP on Tomcat 8.5.x
jcastor at uvic.ca
Mon May 8 17:33:05 EDT 2017
We are in the process of upgrading from v2 -> 3.3.1 (but on RHEL6) and our sysadmins don't like the 8.0 release stream and want us on 8.5.5 (see note below)
> As discussed, the issue that led the Shibboleth maintainer to advise against Tomcat 8.5 appears only to have ever been verified on Windows 2012 and I can't see any > evidence that it's ever been replicated; further, 8.0 is "superseded" by 8.5 in the 8.x stream, and the Tomcat maintainers advise that it should no longer be installed > in new deployments. Given that we haven't actually experienced the issue described, I'm suggesting we stay with our 8.5 deployment.
http://tomcat.apache.org/whichversion.html confirms that they say 8.0 is superseded, so far we have not experienced any issues, but will do Tomcat 8.0 if we need to. I am reluctant to deploy Jetty as it would be new for us and there are only so many containers we will want to support long term.
From: users [mailto:users-bounces at shibboleth.net] On Behalf Of Cantor, Scott
Sent: May 8, 2017 2:13 PM
To: Shib Users <users at shibboleth.net>
Subject: RE: IDP on Tomcat 8.5.x
> I found an issue (IDP-1028) that came from a session problem reported
> to the mailing list:
That's what the note refers to, it should be more explicit.
> But otherwise, I don't see widespread reports of problems with Tomcat
I don't know how much its been used. My uninformed sense is that it's a bad release. They were waiting for 9 and then decided to do one of those backporting exercises to try and get stuff out sooner, and it seems to include a "not final" version of whatever the next servlet spec is going to be, and that all sort of made me feel like I wasn't shocked that the sessions were buggy. And that's about the worst place to be suspicious with software like this.
> Is it safe to upgrade to Tomcat v8.5.14?
I have literally no idea but my opinion is that it's not, based solely on the fact that it was broken for one person and that's all I need to see from a container. Rock solid, or get out. This is not a piece of software I think is worth trying to "live with" when there are demonstrably better alternatives.
Jetty continues to try and prove me wrong with regressions, so I'm not sure I like any of them at the moment but the regressions of late have been pretty harmless.
To unsubscribe from this list send an email to users-unsubscribe at shibboleth.net
More information about the users