From: Shing Wai Chan <shing.wai.chan_at_oracle.com>
Date: Fri, 08 Feb 2013 15:48:21 -0800

We are looking at http://java.net/jira/browse/SERVLET_SPEC-34
("Auth constraint that requires a valid user, but does not require any
particular role")

We plan to do the following:
1. If the application does not define a role name "**", then
     a) "**" will represent any authenticated users
     b) isUserInRole("**") should return the same result as calling
(request.getUserPrincipal() != null)
2. If the application defines a role named "**", then the application
defined role mapping will be used
in constraint configuration, and in the isUSerInRole call.

We plan to add this to Jsr 115 Mr.
Please let me know if you have any comment.

Shing Wai Chan