As Arjan explained in the umbrella mailing list, the dependency on JACC is optional. That means only JASPIC is required. More on the umbrella thread I linked before.
Whether JASPIC is lightweight enough to justify bringing it to Web Profile I don’t know. But Arjan says it's already supported by most servlet containers, so maybe no big deal.
Ondrej
Od: Kevin Sutter
Odesláno:pondělí 10. dubna 2017 23:53
Komu: users_at_javaee-security-spec.java.net
Předmět: [javaee-security-spec users] Re: Security JSR in WebProfile
It's my understanding the JSR 375 has dependencies on both JASPIC and JACC. We don't want to pull them into Web Profile. So, with those dependencies in place, I would vote against bringing JSR 375 into Web Profile.
---------------------------------------------------
Kevin Sutter
STSM, Java EE and Java Persistence API (JPA) architect
e-mail: sutter_at_us.ibm.com Twitter: @kwsutter
phone: tl-553-3620 (office), 507-253-3620 (office)
LinkedIn:
https://www.linkedin.com/in/kevinwsutter
From: <ondrej.mihalyi_at_gmail.com>
To: users_at_javaee-security-spec.java.net
Date: 04/10/2017 02:39 PM
Subject: [javaee-security-spec users] Security JSR in WebProfile
Dear EG,
Linda de Michiel asked on the umbrella mailing list whether this JSR
should be part of Web Profile.
I expressed some concerns about dependency on JASPIC:
https://java.net/projects/javaee-spec/lists/users/archive/2017-04/messa
ge/1
Can you clarify what is the status of Security JSR relation to JASPIC?
Is it really required by the API and spec, or it's only a requirement
for Soteria RI? Could it be turned into an optional dependency, so that
it doesn't need to be pulled to Web Profile together with the Security
JSR?
Thanks,
Ondrej