users@javaee-spec.java.net

[javaee-spec users] Re: [jsr366-experts] Re: Java EE Security API

From: Werner Keil <werner.keil_at_gmail.com>
Date: Fri, 14 Apr 2017 19:09:43 +0200

+1

Am 14.04.2017 13:56 schrieb "Michael Remijan" <mjremijan_at_yahoo.com>:

> +1 definitely
>
>
> On Friday, April 14, 2017 6:47 AM, Ondrej Mihályi <
> ondrej.mihalyi_at_gmail.com> wrote:
>
>
> +1 On including Security in WebProfile, it's really important to have a
> standard security API there too, not only in the full profile.
>
> Previously I expressed concerns about the dependency on JASPIC, but that
> was clarified meantime.
> Arjan Tijms already explained that only a small profile of JASPIC would be
> necessary and it's already provided by most servers.
>
> If Arjan is able to find a way how to avoid the hard dependency on the
> JASPIC Servlet Profile, it would be even better. But even if not, the Web
> Profile could specify that only the Servlet Profile of JASPIC is included.
> I'm confident it would be enough to make people believe that the bigger
> part of JASPIC remains only in the full profile and only a lightweight
> profile is included in Web.
>
> Ondrej
>
> 2017-04-14 13:17 GMT+02:00 Josh Juneau <juneau001_at_gmail.com>:
>
> I feel that this should be included in both the full and web profiles.
> Java EE Security is essential in all web applications, so it should be
> treated as such by adding to both profiles. We should not short change
> developers by omitting important security features from the web profile.
>
>
> Josh Juneau
> juneau001_at_gmail.com
> http://jj-blogger.blogspot.com
> https://www.apress.com/index. php/author/author/view/id/1866
>
>
> On Fri, Apr 14, 2017 at 3:28 AM, Pavlov, Vladimir <vladimir.pavlov_at_sap.com
> > wrote:
>
> Strong +1
>
> On 14 Apr 2017, at 07:47, Michael Remijan <mjremijan_at_yahoo.com> wrote:
>
> I strongly support having the Java EE Security API included in the Web
> Profile. If the trend, need, and support for smaller profiles continues -
> Web Profile, Micro Profile - then not including the Security API would
> force developers to use other frameworks for security. The security
> features of these frameworks will not integrate with EE server components -
> Servlet, JSF, JAX-RS, EJB - and this would further force developers to use
> what the framework provides vs. what Java EE provides. Also, the use of
> smaller profiles tends to result in a significant increase in their numbers
> (microservices architecture). With possibly hundreds or thousands of EE
> servers running, there is significant advantage to having a consistent way
> for these services to customize how they build their Principal/Roles for
> not only client access but for service-to-service communication as well.
>
>
> On Thursday, April 13, 2017 5:40 AM, reza_rahman <reza_rahman_at_lycos.com>
> wrote:
>
>
> FYI I have seen near universal support for adding Java EE Security to the
> Web Profile on social media. You should consult with David - most of that
> is directed to him.
>
> Like I said before, I hope this doesn't wind up becoming yet another
> strange committee decision that's hard to explain to the real world for
> years.
>
> Surely other people on these aliaes have an opinion on this that's not too
> difficult to take a few minutes to share?
>
> -------- Original message --------
> From: Linda DeMichiel <linda.demichiel_at_oracle.com>
> Date: 4/12/17 7:27 PM (GMT-05:00)
> To: jsr366-experts_at_javaee-spec.jav a.net
> Subject: [javaee-spec users] [jsr366-experts] Re: Java EE Security API
>
> Fellow experts,
>
> We've been receiving some good feedback on the users list
> (jsr366-users_at_javaee-spec.java .net) regarding the inclusion of the
> Java EE Security API. I hope all of you have been following the
> discussion. If not, the users list archives are here:
> https://java.net/projects/java ee-spec/lists/users/archive/
> 2017-04/thread/1
>
> In short, support for including the Java EE Security API in the full
> platform has been unanimous, but there has been some disagreement as
> to whether the Security API should be included as part of the Web
> Profile, largely due to its dependence on JASPIC.
>
> I would appreciate if you would weigh in on this issue.
>
> thanks,
>
> -Linda
>
>
> On 4/7/17, 3:11 PM, Linda DeMichiel wrote:
> > The Java EE Security API has received strong support in the community
> > and has been making good process as evidenced by its recent Early
> > Draft. This JSR is now on-track to complete within the Java EE 8 time
> > frame.
> >
> > We believe that the Java EE Security API adds value to the Java EE
> > Platform due to its simplifications and enhancements to platform
> > security, and should be included as a required technology in both the
> > Java EE 8 Platform and the Java EE 8 Web Profile.
> >
> > Please let us know if for some reason you object.
> >
> > thanks,
> >
> > -Linda
>
>
>
>
>
>
>