users@servlet-spec.java.net

[servlet-spec users] Re: session(-less) applications

From: arjan tijms <arjan.tijms_at_gmail.com>
Date: Tue, 9 Dec 2014 12:24:58 +0100

Hi,

On Tue, Dec 9, 2014 at 9:51 AM, Mark Thomas <markt_at_apache.org> wrote:
>> We've seen how worthwhile "MAY" statements are in the spec. Just refer
>> to Arjan's thread about JASPIC (still waiting for a resolution on that
>> one by the way) being no longer optional for Servlet to see the problems
>> that can be created by MAY statements.
>
> I'm happy with the current MAY for that one.

The exact wording in 15.3.3 is actually "In a Java EE product [...]
Servlet containers MUST" and in 13.6.5 "[...] it is recommended that
[...]".

Obviously I'm not happy with that current wording ;)

Security in Java EE and specifically authentication has been stuck for
ages, which is probably the one argument that pretty much everyone
agrees with.

Now changing a few words here would of course not magically change the
world, but it's a much needed stepping stone to build further
improvements on.

We're basically facing a chicken and egg problem now; almost nobody
asks after the standardized authentication API since it's very low
level and not available everywhere (making the entire point of it
being a standardized API far less less attractive), and not everyone
wants to make it available everywhere since almost nobody asks for it.
And then making it almost a Mexican standoff, third parties aren't too
eager to improve the API since almost nobody asks after it and it
isn't available everywhere.

Now I'd really like to see this deadlock broken. As was discussed
before, for most Servlet containers it wouldn't be a very big problem
in terms of development resources. Tomcat in an exception, but if I'm
not mistaken Mark, you did mention that you had JASPIC on your TODO
list for a while (for Tomcat 7), but didn't get to it yet because of a
lack of demand, and because it wasn't required by the Servlet spec,
right?

As I offered before, if I contributed a JASPIC implementation for
Tomcat, would that perhaps change your mind somewhat?

Kind regards,
Arjan Tijms





>
>> So, after reading the interesting messages of this thread, I think the
>> concrete action may be to just add a little bit of spec text.
>
> I'd be fine with that.
>
> Mark
>
© Oracle | By contributing to this project, you are agreeing to the terms of use described here.