On 02/08/2013 08:49 PM, Rajiv Mordani wrote:
> Mark,
> Ron has driven the security issues for servlet spec for both 3.0
> and 3.1 work so I am on board with the proposed solution from Ron at
> least to close
> the gap in the short term. We can revisit the more detailed security
> model
> changes in a future revision of the spec.
+1
However, if a new security model is introduced in the next
specification, it would be a bit awkward to have two separate security
layers, each presumably with its own XML elements in web.xml and
annotations. With the user wondering which one he should be using. It
should be possible, with the login/logout security API being available,
to simply ack that the real security framework lives in the webapp,
which could be the only solution that wouldn't get us into trouble.
Rémy