On Thu, 15 Nov 2001, jean-frederic clere wrote:

> > > Yes, but the question is what does it costs to setAttribute each time we process
> > > a request even if the servlet does not do a getAttribute.
>
> > Yes, this is a good point. This suggests that we ought to just
> > expose SSLSupport as a single attribute because it will be faster.
> > Is that what you're saying?
>
> Yes, but now I am thinking that it only makes sense in mod_webapp (WARP) /mod_jk
> (Ajp14)  where the SSL informations are requested in a separate dialog step
> between httpd and TC.

I think it makes sense for the other cases as well, since the evaluation (
construction of Cert, etc ) can be done only if needed ( i.e. lazy ).

For Ajp14 you'll get an extra benefit if you don't even send it unless
needed.

On the other side, I'm not sure exposing SSLSupport as a req. attribute
is very easy - we must thing about security. If SSLSupport will be recycled,
which it should, then untrusted servlets should not be able to get a
reference to it, otherwise they can hang on the reference and access
informations on other webapps. And I see no need to have it visible to
servlets.

It can be stored as a private attribute ( note in 3.3 ), and that will
also make the access faster.

BTW, regarding JDK1.1 compatibility - I assume most of it will be done as
a module ( you should have all the hooks you need ), and modules don't
have to be 1.1 compatible. The only requirement is that people should be
able to build and run a basic functional container using JDK1.1 - and we
already have this.


Costin






--
To unsubscribe, e-mail:   <mailto:[EMAIL PROTECTED]>
For additional commands, e-mail: <mailto:[EMAIL PROTECTED]>

Reply via email to