[javaee-spec users] Re: [jsr366-experts] Java EE Security API

From: Werner Keil <>
Date: Tue, 11 Apr 2017 11:16:07 +0200

On Tue, Apr 11, 2017 at 10:53 AM, Romain Manni-Bucau <>

> 2017-04-11 10:44 GMT+02:00 Werner Keil <>:
>> +1
>> Security is important and too often ignored, so making 375 available in
>> the "smallest" Profile available is a must have IMO.
> I would agree if it would be as easy as deploying a rest service but it is
> not. Any hope the entry cost is reduced before If so a big +1,
> if not i'll keep the same opinion on that.
>> About download figures, I found Bintray especially helpful if used
>> properly. Security API and Soteria are made available with full download
>> stats.
>> I know Apache itself is not so helpful. I raised it at ApacheCon but
>> heard, they could not do it because of mirrors. Whether Bintray includes
>> downloads via Mavencentral or not I can't tell, but even if it was
>> combined, the rejected "legacy" JSR275 has more than what we heard from
>> Deltaspike.
>> The Most popular Eclipse projects in MarketPlace have 30-40k downloads
>> per Month, so should E.g. Microprofile Parts or custom implementations be
>> there it was easy to tell which are popular and which are less
> We can close that, point was there are used libs which are not relying on
> "complex" state machine + protocol (notify*) coding in user land, then the
> detail of stats and which part is hidden if out of topic there (even if
> interesting ;)).

I keep working in environments that rely on established standards, even if
some may be older or seem "complex". A few customers also use Spring
because it developed a support infrastructure they can rely on but that
whold "userland" and the most recent buzzword people may get to talk at
many conferences with is neither trustworthy nor useful to them.

They have realtime and often safety critical systems people's lives can
depend on. And need Long Term Support for decades.
If they hear, that Angular 2 is totally incompatible with version 1 and
that in 10 or 20 years when their end customers still need this system to
function nobody knows, if "Angular 42" may exist or something totally
different they are scared and turn away from it ;-)