Hi,
Thanks for posting that link! Modernizing the security framework(s) is an
important topic I think. The link goes into some more details, but briefly
said it would be cool if there was an overall security framework in Java EE
building on the more modern APIs (specifically CDI), with some more
high-level/convenience functionality.
There seems to be some level of support for this. E.g. Reza Rahman and me
proposed nearly identical functionality in
https://java.net/jira/browse/JAVAEE_SPEC-25?focusedCommentId=364516&page=com.atlassian.jira.plugin.system.issuetabpanels%3Acomment-tabpanel#action_364516
Something like that could be implemented in a reasonably trivial way,
provided that JASPIC supports CDI and is part of the web profile. A
possible new overall security framework could then build on JASPIC and CDI
to provide the requested ease-of-use functionality.
I think having a general injectable SecurityContext as a replacement for
Servlet, EJB and JAX-RS specific functionality like checking if a user has
a given role would also present a much stronger feeling of unity.
Kind regards,
Arjan Tijms