users@servlet-spec.java.net

[servlet-spec users] Re: session(-less) applications

From: Mark Thomas <markt_at_apache.org>
Date: Tue, 09 Dec 2014 12:31:32 +0000

On 09/12/2014 11:24, arjan tijms wrote:
> Hi,
>
> On Tue, Dec 9, 2014 at 9:51 AM, Mark Thomas <markt_at_apache.org> wrote:
>>> We've seen how worthwhile "MAY" statements are in the spec. Just refer
>>> to Arjan's thread about JASPIC (still waiting for a resolution on that
>>> one by the way) being no longer optional for Servlet to see the problems
>>> that can be created by MAY statements.
>>
>> I'm happy with the current MAY for that one.
>
> The exact wording in 15.3.3 is actually "In a Java EE product [...]
> Servlet containers MUST" and in 13.6.5 "[...] it is recommended that
> [...]".
>
> Obviously I'm not happy with that current wording ;)
>
> Security in Java EE and specifically authentication has been stuck for
> ages, which is probably the one argument that pretty much everyone
> agrees with.
>
> Now changing a few words here would of course not magically change the
> world, but it's a much needed stepping stone to build further
> improvements on.
>
> We're basically facing a chicken and egg problem now; almost nobody
> asks after the standardized authentication API since it's very low
> level and not available everywhere (making the entire point of it
> being a standardized API far less less attractive), and not everyone
> wants to make it available everywhere since almost nobody asks for it.
> And then making it almost a Mexican standoff, third parties aren't too
> eager to improve the API since almost nobody asks after it and it
> isn't available everywhere.
>
> Now I'd really like to see this deadlock broken. As was discussed
> before, for most Servlet containers it wouldn't be a very big problem
> in terms of development resources. Tomcat in an exception, but if I'm
> not mistaken Mark, you did mention that you had JASPIC on your TODO
> list for a while (for Tomcat 7), but didn't get to it yet because of a
> lack of demand, and because it wasn't required by the Servlet spec,
> right?
>
> As I offered before, if I contributed a JASPIC implementation for
> Tomcat, would that perhaps change your mind somewhat?

My position on JASPIC hasn't changed since you last asked:

https://java.net/projects/servlet-spec/lists/users/archive/2014-11/message/0

Mark
© Oracle | By contributing to this project, you are agreeing to the terms of use described here.