From: arjan tijms <>
Date: Thu, 26 Nov 2015 22:07:36 +0100


As discussed before I'd like to ask for a JASPIC MR.

The goal of this discussion is to compile a small list of the most useful
aspects that need to be addressed.

While there are a number of feature requests open in the JASPIC JIRA, I
think the most important things are the clarifications.

In order of importance my suggested list for mostly the Servlet Container
Profile: is:

1. Clarify Interactions with other specs
2. Clarify the register session feature
3. Expand the TCK
4. Update the Java SE level
5. Detect invocation via authenticate()

The items are further explained below:

1. Clarify interactions with other specs

1.1 Clarify that the application Java EE component namespaces (java:app,
java:comp, etc) should be available from within a SAM.

Practical use case: obtaining application scoped data sources, EJB beans
and other resources.

Example: new InitialContext().lookup("java:app/myds")

1.2 Clarify that the CDI default scopes for web components (@RequestScoped,
@SessionScoped, etc) should be available from within a SAM.

Practical use case: obtaining application scoped identity stores

Example: CDI.current().select(SomeBean.class); // SomeBean is @RequestScoped

Existing issue: (but slightly
more limited)

2. Clarify the register session feature

Myself, and almost every vendor I talked to, did not fully understood from
the spec text how the JASPIC 1.1 register session feature should work. Ron
clarified this at various occasions and made the remark that the spec
should have said something about the groups.

I think additional spec text based on these clarifications would make it
much more understandable for both users and vendors alike.

3. Expand the TCK

In the past some vendors did not implement basic functionality of JASPIC,
but still got certified. Clearly the TCK is not optimally testing the
basics yet.

I'm not 100% sure if expanding the TCK necessarily needs a MR or if it can
be added to the next Java EE CTS (Java EE 8 in this case) without one.

4. Update the Java SE level

The only change in this list that would require actual code changes in the

JASPIC is still limited to Java SE 1.4. Now that Java EE moves to Java EE 8
this feels curiously out of place.

In practice this mostly boils down to adding generic parameters for the
various maps JASPIC passes around. Where it makes sense default methods for
interfaces could be considered.

Existing issue:

5. Detect invocation via authenticate()

A SAM can be called at the start of a request or following a call to

A simple key in the message info map would suffice to distinguish between
those two cases. Various implementations already have such a key in place,
or have e.g. a boolean for this in the runtime method just before the SAM
is invoked.

This is a new feature, but should be very easy to spec and implement.

Existing issue:


Kind regards,
Arjan Tijms