IDP on Tomcat 8.5.x

Jason Castor jcastor at uvic.ca
Mon May 8 17:33:05 EDT 2017 

We are in the process of upgrading from v2 -> 3.3.1 (but on RHEL6) and our sysadmins don't like the 8.0 release stream and want us on 8.5.5 (see note below)

> As discussed, the issue that led the Shibboleth maintainer to advise against Tomcat 8.5 appears only to have ever been verified on Windows 2012 and I can't see any > evidence that it's ever been replicated; further, 8.0 is "superseded" by 8.5 in the 8.x stream, and the Tomcat maintainers advise that it should no longer be installed > in new deployments. Given that we haven't actually experienced the issue described, I'm suggesting we stay with our 8.5 deployment.

http://tomcat.apache.org/whichversion.html confirms that they say 8.0 is superseded, so far we have not experienced any issues, but will do Tomcat 8.0 if we need to.  I am reluctant to deploy Jetty as it would be new for us and there are only so many containers we will want to support long term.

Cheers,

Jason

-----Original Message-----
From: users [mailto:users-bounces at shibboleth.net] On Behalf Of Cantor, Scott
Sent: May 8, 2017 2:13 PM
To: Shib Users <users at shibboleth.net>
Subject: RE: IDP on Tomcat 8.5.x

> I found an issue (IDP-1028) that came from a session problem reported 
> to the mailing list:
> 
>    http://shibboleth.1660669.n2.nabble.com/HttpSession-
> NullPointerException-on-Apache-Tomcat-8-5-4-td7627069.html

That's what the note refers to, it should be more explicit.

> But otherwise, I don't see widespread reports of problems with Tomcat 
> v8.5.

I don't know how much its been used. My uninformed sense is that it's a bad release. They were waiting for 9 and then decided to do one of those backporting exercises to try and get stuff out sooner, and it seems to include a "not final" version of whatever the next servlet spec is going to be, and that all sort of made me feel like I wasn't shocked that the sessions were buggy. And that's about the worst place to be suspicious with software like this.

> Is it safe to upgrade to Tomcat v8.5.14?

I have literally no idea but my opinion is that it's not, based solely on the fact that it was broken for one person and that's all I need to see from a container. Rock solid, or get out. This is not a piece of software I think is worth trying to "live with" when there are demonstrably better alternatives.

Jetty continues to try and prove me wrong with regressions, so I'm not sure I like any of them at the moment but the regressions of late have been pretty harmless.

-- Scott

--
To unsubscribe from this list send an email to users-unsubscribe at shibboleth.net

More information about the users mailing list