[javaee-spec users] Re: [jsr366-experts] Re: Java EE Security API

From: Michael Remijan <>
Date: Fri, 14 Apr 2017 04:43:54 +0000 (UTC)

I strongly support having the Java EE Security API included in the Web Profile.  If the trend, need, and support for smaller profiles continues - Web Profile, Micro Profile - then not including the Security API would force developers to use other frameworks for security.  The security features of these frameworks will not integrate with EE server components - Servlet, JSF, JAX-RS, EJB - and this would further force developers to use what the framework provides vs. what Java EE provides.  Also, the use of smaller profiles tends to result in a significant increase in their numbers (microservices architecture). With possibly hundreds or thousands of EE servers running, there is significant advantage to having a consistent way for these services to customize how they build their Principal/Roles for not only client access but for service-to-service communication as well.  

    On Thursday, April 13, 2017 5:40 AM, reza_rahman <> wrote:

 FYI I have seen near universal support for adding Java EE Security to the Web Profile on social media. You should consult with David - most of that is directed to him.
Like I said before, I hope this doesn't wind up becoming yet another strange committee decision that's hard to explain to the real world for years.
Surely other people on these aliaes have an opinion on this that's not too difficult to take a few minutes to share?
-------- Original message --------From: Linda DeMichiel <> Date: 4/12/17 7:27 PM (GMT-05:00) To: Subject: [javaee-spec users] [jsr366-experts] Re: Java EE Security API
Fellow experts,

We've been receiving some good feedback on the users list
( regarding the inclusion of the
Java EE Security API.  I hope all of you have been following the
discussion.  If not, the users list archives are here:

In short, support for including the Java EE Security API in the full
platform has been unanimous, but there has been some disagreement as
to whether the Security API should be included as part of the Web
Profile, largely due to its dependence on JASPIC.

I would appreciate if you would weigh in on this issue.



On 4/7/17, 3:11 PM, Linda DeMichiel wrote:
> The Java EE Security API has received strong support in the community
> and has been making good process as evidenced by its recent Early
> Draft.  This JSR is now on-track to complete within the Java EE 8 time
> frame.
> We believe that the Java EE Security API adds value to the Java EE
> Platform due to its simplifications and enhancements to platform
> security, and should be included as a required technology in both the
> Java EE 8 Platform and the Java EE 8 Web Profile.
> Please let us know if for some reason you object.
> thanks,
> -Linda