[javaee-spec users] Re: [jsr366-experts] Java EE Security API

From: <>
Date: Mon, 10 Apr 2017 19:35:03 +0000 (UTC)

Hi Linda and Security JSR EG,

I think that majority of the people who care would warmly welcome this
new security API also in Web Profile (many people already showed their
preference on Twitter:

However, I'd like to ask what are the implications? What other
dependencies would it bring to the WebProfile?

E.g. the Security JSR depends on JASPIC, which is not part of Web
Profile. From the spec EDR1: " Integration with the servlet container
leverages JASPIC;
the container MUST configure and invoke the HttpAuthenticationMechanism
via JASPIC, as
described below"

It seems to me that with the new Security JSR, also JASPIC needs to be
moved to Web Profile. Is it really necessary or can the dependency on
JASPIC be optional?

I'd appreciate to make JASPIC optional and leave it out of Web Profile,
because it's a cumbersome API and not really needed to be exposed in
the Web Profile.