users@javaee-spec.java.net

[javaee-spec users] [jsr366-experts] Re: Re: Re: Java EE Security API and the Web Profile

From: Linda DeMichiel <linda.demichiel_at_oracle.com>
Date: Thu, 20 Apr 2017 10:13:05 -0700

On 4/19/17, 11:41 AM, Linda DeMichiel wrote:
> The Servlet Container Profile of JASPIC need only be required.
> Section EE.9.3 of the Platform spec spells out the rules, as does
> Chapter 3 of the JASPIC spec.
>
> However, if a Web Profile product supports additional functionality
> that is addressed by JASPIC spec, then the corresponding JASPIC
> requirements would need to be supported. For example, if a Web
> Profile product supports web service endpoints, then the SOAP profile
> of the JASPIC spec would need to be supported.
>

A correction to my earlier message here. After some further
JASPIC spec research, we've determined that the JASPIC SOAP profile
support would be optional, not required. I'll clarify this point
in the Platform spec.


>
> On 4/19/17, 5:22 AM, Kevin Sutter wrote:
>> Hi Arjan,
>> Thanks for the clarification. But, will Linda indicate that only the
>> Servlet Container Profile of jaspic will be required for Web Profile?
>> I'm not so worried about whether Liberty supports a given set of
>> jaspic features. Just in general, I didn't think it was a good idea to
>> require all of jaspic in the Web Profile. If we can limit the
>> documented support to just the Servlet Container Profile of jaspic, then
>> I would probably be okay. I was just looking for clarification of how
>> much of jaspic would be required. Linda?
>
>
>>
>> ---------------------------------------------------
>> Kevin Sutter
>> STSM, Java EE and Java Persistence API (JPA) architect
>> e-mail: sutter_at_us.ibm.com Twitter: @kwsutter
>> phone: tl-553-3620 (office), 507-253-3620 (office)
>> LinkedIn: https://www.linkedin.com/in/kevinwsutter
>>
>>
>>
>> From: arjan tijms <arjan.tijms_at_gmail.com>
>> To: users <users_at_javaee-spec.java.net>
>> Date: 04/19/2017 11:55 AM
>> Subject: [javaee-spec users] Re: [jsr366-experts] Re: Java EE Security
>> API and the Web Profile
>> ------------------------------------------------------------------------
>>
>>
>>
>> Hi Kevin,
>>
>> The proposed "jaspic lite" is simply the already defined Servlet
>> Container Profile of jaspic, which is described in chapter 3 of the
>> JASPIC 1.1 spec.
>>
>> Liberty supports this well enough (the JSR 375 RI runs on Liberty).
>>
>> Kind regards,
>> Arjan Tijms
>>
>>
>>
>>
>> On Wed, Apr 19, 2017 at 5:05 AM, Kevin Sutter <_sutter_at_us.ibm.com_
>> <mailto:sutter_at_us.ibm.com>> wrote:
>> -1 on this move without further clarification... Arjan has proposed
>> that maybe we need a "jaspic lite" similar to "ejb lite" to allow for a
>> subset of jaspic to be required in web profile. If we could clarify
>> this first then I might go along with including security 1.0 and jaspic
>> lite in web profile. But, without that clarification, I don't agree
>> with including jaspic in web profile (and thus security 1.0). Thanks.
>>
>> ---------------------------------------------------
>> Kevin Sutter
>> STSM, Java EE and Java Persistence API (JPA) architect
>> e-mail: _sutter_at_us.ibm.com_ <mailto:sutter_at_us.ibm.com> Twitter:
>> @kwsutter
>> phone: tl-553-3620 (office), _507-253-3620_
>> <tel:(507)%20253-3620>(office)
>> LinkedIn: _https://www.linkedin.com/in/kevinwsutter_
>>
>>
>>
>> From: Linda DeMichiel <_linda.demichiel_at_oracle.com_
>> <mailto:linda.demichiel_at_oracle.com>>
>> To: _jsr366-experts_at_javaee-spec.java.net_
>> <mailto:jsr366-experts_at_javaee-spec.java.net>
>> Date: 04/18/2017 06:47 AM
>> Subject: [javaee-spec users] [jsr366-experts] Java EE Security API and
>> the Web Profile
>> ------------------------------------------------------------------------
>>
>>
>>
>>
>> An update as to where we are with this discussion.....
>>
>> So far, there has been overwhelming support among the users list
>> participants for including the Java EE Security API in the
>> Web Profile.
>>
>> As of today, however, the Java EE Security API depends on JASPIC,
>> which we would therefore also need to include in the Web Profile,
>> which has raised some concerns.
>>
>> In the absence of any further feedback from members of the Platform
>> Expert Group, we plan to include both the Java EE Security API
>> and JASPIC in the Web Profile.
>>
>> Please let us know asap if you object.
>>
>> thanks,
>>
>> -Linda
>>
>>
>>
>>
>>
>>
>>