users@servlet-spec.java.net

[servlet-spec users] Re: Standardizing authentication modules in Servlet (via JASPIC)?

From: Edward Burns <edward.burns_at_oracle.com>
Date: Mon, 3 Nov 2014 11:44:02 -0800

>>>>> On Sat, 01 Nov 2014 10:14:10 +0000, Mark Thomas <markt_at_apache.org> said:

EB> Thanks for your definitive answer. Is there any circumstance where you
EB> can imagine supporting it?

MT> Supporting it as in supporting the idea that it should be mandatory? No.

MT> Supporting it as in Tomcat shipping with JASPIC support? Yes, with
MT> caveats. Those caveats are:

MT> - There needs to be an implementation on the table. We don't have that
MT> yet.
MT> - The impact any such implementation has on Tomcat internals.
MT> - The size of the implementation. (The larger it is, the more likely it
MT> would ship as an optional extra.)
MT> - The demand for it.

EB> It it a resource question?

MT> Partly. It is on the TODO list but fairly near the bottom due to the
MT> lack of demand for it.

EB> Is it an architecture question?

MT> No. I haven't looked at the architecture.

EB> Is it because you feel JASPIC needs some improvements first?

MT> No. I haven't looked at JASPIC in any details at all.

Ok, these are actionable responses. Arjan, can you please get back to
the list with a feel for if it's possible to do as you said with the
Geronimo JASPIC impl?

MT> There is also the ongoing issue of the ASF having access to the JavaEE
MT> TCKs under terms that would enable us to continue release software
MT> tested with the TCKs under the ALv2. I'd like to be able to test any
MT> JASPIC implementation with the TCK before release and that doesn't look
MT> like it is going to be an option any time soon.

I can't comment on this, but I can say please encourage Gier to respond
to Cameron's mail. If this has already happened, then my apologies.

Ed

-- 
| edward.burns_at_oracle.com | office: +1 407 458 0017
|  4 work days til Devoxx 2014