[javaee-spec users] Re: [jsr366-experts] Re: Java EE Security API

From: Michael Remijan <>
Date: Fri, 14 Apr 2017 11:53:11 +0000 (UTC)

+1 definitely

    On Friday, April 14, 2017 6:47 AM, Ondrej Mihályi <> wrote:

 +1 On including Security in WebProfile, it's really important to have a standard security API there too, not only in the full profile.
Previously I expressed concerns about the dependency on JASPIC, but that was clarified meantime.
Arjan Tijms already explained that only a small profile of JASPIC would be necessary and it's already provided by most servers. 
If Arjan is able to find a way how to avoid the hard dependency on the JASPIC Servlet Profile, it would be even better. But even if not, the Web Profile could specify that only the Servlet Profile of JASPIC is included. I'm confident it would be enough to make people believe that the bigger part of JASPIC remains only in the full profile and only a lightweight profile is included in Web.
2017-04-14 13:17 GMT+02:00 Josh Juneau <>:

I feel that this should be included in both the full and web profiles.  Java EE Security is essential in all web applications, so it should be treated as such by adding to both profiles.  We should not short change developers by omitting important security features from the web profile.

Josh Juneau php/author/author/view/id/1866

On Fri, Apr 14, 2017 at 3:28 AM, Pavlov, Vladimir <> wrote:

Strong +1

On 14 Apr 2017, at 07:47, Michael Remijan <> wrote:

I strongly support having the Java EE Security API included in the Web Profile.  If the trend, need, and support for smaller profiles continues - Web Profile, Micro Profile - then not including the Security API would force developers to use other frameworks for security.  The security features of these frameworks will not integrate with EE server components - Servlet, JSF, JAX-RS, EJB - and this would further force developers to use what the framework provides vs. what Java EE provides.  Also, the use of smaller profiles tends to result in a significant increase in their numbers (microservices architecture). With possibly hundreds or thousands of EE servers running, there is significant advantage to having a consistent way for these services to customize how they build their Principal/Roles for not only client access but for service-to-service communication as well.  

On Thursday, April 13, 2017 5:40 AM, reza_rahman <> wrote:

FYI I have seen near universal support for adding Java EE Security to the Web Profile on social media. You should consult with David - most of that is directed to him.
Like I said before, I hope this doesn't wind up becoming yet another strange committee decision that's hard to explain to the real world for years.
Surely other people on these aliaes have an opinion on this that's not too difficult to take a few minutes to share?
-------- Original message --------From: Linda DeMichiel <>Date: 4/12/17 7:27 PM (GMT-05:00) To: jsr366-experts_at_javaee-spec.jav a.netSubject: [javaee-spec users] [jsr366-experts] Re: Java EE Security API
Fellow experts,

We've been receiving some good feedback on the users list
( .net) regarding the inclusion of the
Java EE Security API.  I hope all of you have been following the
discussion.  If not, the users list archives are here: ee-spec/lists/users/archive/ 2017-04/thread/1

In short, support for including the Java EE Security API in the full
platform has been unanimous, but there has been some disagreement as
to whether the Security API should be included as part of the Web
Profile, largely due to its dependence on JASPIC.

I would appreciate if you would weigh in on this issue.



On 4/7/17, 3:11 PM, Linda DeMichiel wrote:
> The Java EE Security API has received strong support in the community
> and has been making good process as evidenced by its recent Early
> Draft.  This JSR is now on-track to complete within the Java EE 8 time
> frame.
> We believe that the Java EE Security API adds value to the Java EE
> Platform due to its simplifications and enhancements to platform
> security, and should be included as a required technology in both the
> Java EE 8 Platform and the Java EE 8 Web Profile.
> Please let us know if for some reason you object.
> thanks,
> -Linda