users@javaee-spec.java.net

[javaee-spec users] Fwd: [jsr366-experts] Re: Java EE Security API

From: Guillermo González de Agüero <z06.guillermo_at_gmail.com>
Date: Thu, 13 Apr 2017 10:42:45 +0000

Resending my last email as I think it has been lost.

---------- Forwarded message ---------
From: Guillermo González de Agüero <z06.guillermo_at_gmail.com>
Date: jue., 13 de abril de 2017 10:13
Subject: Re: [javaee-spec users] [jsr366-experts] Re: Java EE Security API
To: <users_at_javaee-spec.java.net>


Hi Linda,

Arjan said he thinks the JASPIC dependency can be removed from the spec. I
hope he can confirm this. That would solve the only real problem people
seems to have.

Personally, I'd prefer not to include JASPIC on the Web Profile. Not
because it is bad, but because it is a complicated technology thar people
will barely use having the new
Security API. But for that to be true, the Security API has to be present.

Given that every Servlet container now supports JASPIC and even the Servlet
spec once considered to require the presence of JASPIC, I think there will
be no difference at all for end users. Most implementations will use it
under the covers anyway.

So my position is: absolutely bring the Security API to the Web Profile,
and regarding JASPIC,
- If possible, remove its hard reference from the spec. Only mandate to use
it underneath on thd Full edition. Arjan will need to confirm if this is
possible.
- If not possible to remove the dependency, bring JASPIC to the Web
Profile. I doubt it will make any difference in practice, at least on the
short term.


Regards,

Guillermo González de Agüero


El jue., 13 de abril de 2017 1:28, Linda DeMichiel <
linda.demichiel_at_oracle.com> escribió:

> Fellow experts,
>
> We've been receiving some good feedback on the users list
> (jsr366-users_at_javaee-spec.java.net) regarding the inclusion of the
> Java EE Security API. I hope all of you have been following the
> discussion. If not, the users list archives are here:
> https://java.net/projects/javaee-spec/lists/users/archive/2017-04/thread/1
>
> In short, support for including the Java EE Security API in the full
> platform has been unanimous, but there has been some disagreement as
> to whether the Security API should be included as part of the Web
> Profile, largely due to its dependence on JASPIC.
>
> I would appreciate if you would weigh in on this issue.
>
> thanks,
>
> -Linda
>
>
> On 4/7/17, 3:11 PM, Linda DeMichiel wrote:
> > The Java EE Security API has received strong support in the community
> > and has been making good process as evidenced by its recent Early
> > Draft. This JSR is now on-track to complete within the Java EE 8 time
> > frame.
> >
> > We believe that the Java EE Security API adds value to the Java EE
> > Platform due to its simplifications and enhancements to platform
> > security, and should be included as a required technology in both the
> > Java EE 8 Platform and the Java EE 8 Web Profile.
> >
> > Please let us know if for some reason you object.
> >
> > thanks,
> >
> > -Linda
>