Hey Alessio,
Well, that's a good question.
I guess the first thing to notice is that JBEAP-11442 refers to
"optional support for RFC6265" in Undertow, so there's nothing being
forced on us.
There are 25 Resteasy JIRAs that mention cookies.
1. A lot of these are old and I've ignored them.
2. There are a few issues closed by me, Jim, and Rebecca that are bug
fixes, and, as such, I don't think they can cause any problems, since
they would just, if anything, bring us closer to correct implementation
of the spec (but see below).
3. And then there's RESTEASY-1516 "Cookies sent by resteasy-client
are not spec compliant" (open) and the related RESTEASY-1266 "Fix cookie
processing" (closed).
I started to get ambitious in RESTEASY-1266 and then just did a bug fix
and closed it. That leaves RESTEASY-1516, for which I created
https://github.com/jax-rs/api/issues/554 "Clarify documentation
ambiguities", which refers to
https://github.com/jax-rs/api/issues/435
"Update Cookie and NewCookie to RFC 6265". There doesn't seem to be any
reaction to either of them.
The problem is that the JAX-RS spec (specifically
javax.ws.rs.core.Cookie and javax.ws.rs.core.NewCookie) refer to IETF
RFC 2109, which is now obsolete. It seems to me that the Expert Group
should at least do something like what Undertow is doing, by making the
Cookie spec configurable.
Until then, I guess the most we could do is add an option to configure
which Cookie spec to use, taking advantage of what they've done in
Undertow. I don't have any sense of how useful that would be.
-Ron
On 08/17/2017 02:37 AM, Alessio Soldano wrote:
Thanks for having shared this, Ron.
Do you expect us having to revisit any of the decisions we have taken
so far regarding issues related to cookies?
Cheers
Alessio
On Thu, Aug 17, 2017 at 2:41 AM, Ron Sigal <rsigal(a)redhat.com
<mailto:rsigal@redhat.com>> wrote:
We've talked in the past about the ambiguity in the JAX-RS spec
concerning cookies. I just noticed this issue:
https://issues.jboss.org/browse/JBEAP-11442
<
https://issues.jboss.org/browse/JBEAP-11442> "[GSS](7.0.z) Add
optional support for RFC6265 compliant cookie validation"
Not that there's anything we need to do about.I just thought it
might be
worth knowing about.
--
My company's smarter than your company (unless you work for Red Hat)
_______________________________________________
resteasy-dev mailing list
resteasy-dev(a)lists.jboss.org <mailto:resteasy-dev@lists.jboss.org>
https://lists.jboss.org/mailman/listinfo/resteasy-dev
<
https://lists.jboss.org/mailman/listinfo/resteasy-dev>
--
My company's smarter than your company (unless you work for Red Hat)