[javaee-spec users] Re: [jsr366-experts] Re: Java EE Security API

From: Josh Juneau <>
Date: Fri, 14 Apr 2017 06:17:01 -0500

I feel that this should be included in both the full and web profiles.
Java EE Security is essential in all web applications, so it should be
treated as such by adding to both profiles. We should not short change
developers by omitting important security features from the web profile.

Josh Juneau

On Fri, Apr 14, 2017 at 3:28 AM, Pavlov, Vladimir <>

> Strong +1
> On 14 Apr 2017, at 07:47, Michael Remijan <> wrote:
> I strongly support having the Java EE Security API included in the Web
> Profile. If the trend, need, and support for smaller profiles continues -
> Web Profile, Micro Profile - then not including the Security API would
> force developers to use other frameworks for security. The security
> features of these frameworks will not integrate with EE server components -
> Servlet, JSF, JAX-RS, EJB - and this would further force developers to use
> what the framework provides vs. what Java EE provides. Also, the use of
> smaller profiles tends to result in a significant increase in their numbers
> (microservices architecture). With possibly hundreds or thousands of EE
> servers running, there is significant advantage to having a consistent way
> for these services to customize how they build their Principal/Roles for
> not only client access but for service-to-service communication as well.
> On Thursday, April 13, 2017 5:40 AM, reza_rahman <>
> wrote:
> FYI I have seen near universal support for adding Java EE Security to the
> Web Profile on social media. You should consult with David - most of that
> is directed to him.
> Like I said before, I hope this doesn't wind up becoming yet another
> strange committee decision that's hard to explain to the real world for
> years.
> Surely other people on these aliaes have an opinion on this that's not too
> difficult to take a few minutes to share?
> -------- Original message --------
> From: Linda DeMichiel <>
> Date: 4/12/17 7:27 PM (GMT-05:00)
> To:
> Subject: [javaee-spec users] [jsr366-experts] Re: Java EE Security API
> Fellow experts,
> We've been receiving some good feedback on the users list
> ( regarding the inclusion of the
> Java EE Security API. I hope all of you have been following the
> discussion. If not, the users list archives are here:
> In short, support for including the Java EE Security API in the full
> platform has been unanimous, but there has been some disagreement as
> to whether the Security API should be included as part of the Web
> Profile, largely due to its dependence on JASPIC.
> I would appreciate if you would weigh in on this issue.
> thanks,
> -Linda
> On 4/7/17, 3:11 PM, Linda DeMichiel wrote:
> > The Java EE Security API has received strong support in the community
> > and has been making good process as evidenced by its recent Early
> > Draft. This JSR is now on-track to complete within the Java EE 8 time
> > frame.
> >
> > We believe that the Java EE Security API adds value to the Java EE
> > Platform due to its simplifications and enhancements to platform
> > security, and should be included as a required technology in both the
> > Java EE 8 Platform and the Java EE 8 Web Profile.
> >
> > Please let us know if for some reason you object.
> >
> > thanks,
> >
> > -Linda