[javaee-spec users] Re: [jsr366-experts] Java EE Security API

From: Werner Keil <>
Date: Mon, 10 Apr 2017 21:57:58 +0200

Please also make sure, to include a JSR 375 alias like or

Some are luckily in more than one EG, but not everyone on the Umbrella JSR
lists could be the best person to answer whether or not Soteria works
withoug JASPIC.

Those with more detailed questions, please note, the JSR 375 EG holds conf
calls, right now every week. Contributors like Reza joined last week's
call, so I trust even those who are not in the EG could be welcome to such
call in the coming weeks.


On Mon, Apr 10, 2017 at 9:50 PM, Romain Manni-Bucau <>

> Hi Linda,
> can it stay outside WebProfile for EE 8? It seems security still requires
> custom API or vendor specific API in enough cases (for good and bad
> reasons) and is easier not integrating with a 3rd party (EE or not) in
> other numerous cases to not pollute the web profile with yet another spec
> not yet helping much in enough cases.
> +1 to get it in the full profile however, it is a very good move and next
> version will hopefully make it more adapted to enterprises and
> microservices and could imply a move to webprofile if accepted enough.
> Probably wiser this way than the opposite which would enforce a stack for
> EE > 8 not yet justified IMHO.
> Romain Manni-Bucau
> @rmannibucau <> | Blog
> <> | Old Blog
> <> | Github
> <> | LinkedIn
> <> | JavaEE Factory
> <>
> 2017-04-10 21:35 GMT+02:00 <>:
>> Hi Linda and Security JSR EG,
>> I think that majority of the people who care would warmly welcome this
>> new security API also in Web Profile (many people already showed their
>> preference on Twitter:
>> However, I'd like to ask what are the implications? What other
>> dependencies would it bring to the WebProfile?
>> E.g. the Security JSR depends on JASPIC, which is not part of Web
>> Profile. From the spec EDR1: " Integration with the servlet container
>> leverages JASPIC;
>> the container MUST configure and invoke the HttpAuthenticationMechanism
>> via JASPIC, as
>> described below"
>> It seems to me that with the new Security JSR, also JASPIC needs to be
>> moved to Web Profile. Is it really necessary or can the dependency on
>> JASPIC be optional?
>> I'd appreciate to make JASPIC optional and leave it out of Web Profile,
>> because it's a cumbersome API and not really needed to be exposed in
>> the Web Profile.
>> Ondrej