[javaee-spec users] Re: [jsr366-experts] Java EE Security API

From: Romain Manni-Bucau <>
Date: Mon, 10 Apr 2017 21:50:38 +0200

Hi Linda,

can it stay outside WebProfile for EE 8? It seems security still requires
custom API or vendor specific API in enough cases (for good and bad
reasons) and is easier not integrating with a 3rd party (EE or not) in
other numerous cases to not pollute the web profile with yet another spec
not yet helping much in enough cases.

+1 to get it in the full profile however, it is a very good move and next
version will hopefully make it more adapted to enterprises and
microservices and could imply a move to webprofile if accepted enough.

Probably wiser this way than the opposite which would enforce a stack for
EE > 8 not yet justified IMHO.

Romain Manni-Bucau
@rmannibucau <> | Blog
<> | Old Blog
<> | Github <> |
LinkedIn <> | JavaEE Factory

2017-04-10 21:35 GMT+02:00 <>:

> Hi Linda and Security JSR EG,
> I think that majority of the people who care would warmly welcome this
> new security API also in Web Profile (many people already showed their
> preference on Twitter:
> However, I'd like to ask what are the implications? What other
> dependencies would it bring to the WebProfile?
> E.g. the Security JSR depends on JASPIC, which is not part of Web
> Profile. From the spec EDR1: " Integration with the servlet container
> leverages JASPIC;
> the container MUST configure and invoke the HttpAuthenticationMechanism
> via JASPIC, as
> described below"
> It seems to me that with the new Security JSR, also JASPIC needs to be
> moved to Web Profile. Is it really necessary or can the dependency on
> JASPIC be optional?
> I'd appreciate to make JASPIC optional and leave it out of Web Profile,
> because it's a cumbersome API and not really needed to be exposed in
> the Web Profile.
> Ondrej