[javaee-spec users] What about JACC?

From: arjan tijms <>
Date: Thu, 4 Dec 2014 19:57:49 +0100


On Wednesday, December 3, 2014, <
<javascript:_e(%7B%7D,'cvml','');>> wrote:

> Hi,
> referring to the question "Who uses JAAC? / Does anybody use it at
> all?": Yes, here at BMW we use a framework built on top of JACC /
> JASPIC to connect our Java EE 6 Application Servers (GlassFish,
> WebLogic) to our Web EAM Infrastructure for a Java EE 6 compliant,
> application server independent authentication and authorisation.

That's really great to hear! :) I know JASPIC is more often used than
people may think, but hadn't heard much about JACC.

Just out of curiosity, but do you guys perhaps use JACC in combination with
JASPIC to circumvent the otherwise mandatory and server specific group to
role mapping? (I.e. the groups "returned" by a JASPIC auth module are in
many servers not directly accepted as roles)

One other question if you don't mind; in WebLogic it's mandatory to have
the Java SE security manager activated in order to use JACC, even though
this should not be required. This SE security manager induces a massive hit
on performance. Weren't you affected by that?

> please do not deprecate it :-).

Especially for JASPIC, but also for JACC my wish too would be to just see
it improved instead of deprecated.

Thanks for your reply!

Kind regards,
Arjan Tijms

> Heribert