On 9 December 2014 at 13:31, Mark Thomas <markt_at_apache.org> wrote:
>
> My position on JASPIC hasn't changed since you last asked:
>
>
> https://java.net/projects/servlet-spec/lists/users/archive/2014-11/message/0
>
Note that Jetty has supported JASPI for some time. I like the concept,
even though it was extremely disruptive to implement.
But the main failing of the approach, is that to my knowledge, nobody uses
it! At least not with Jetty. Perhaps there may have been a few users
when Jetty was part of the Geronimo container (as IBM via Geronimo were the
main driver for our implementation), but since those days, I have not seen
a single question or usage of JASPI nor any 3rd party authentication
modules.
I suspect that our implementation is probably out of date and/or broken,
but without demand or usage, natural software decay will set in.
The only way that I could see JASPI as part of the servlet spec, is if we
all agreed to deprecate all container authentication in 4.0 and support
JASPI as the primary authentication mechanism. Only with something like
that would it be likely that truly portable and innovative authentication
mechanisms would evolve and thus drive demand.
If there were JASPI implementations for OAUTH, Kerboros etc available, then
that may also drive adoption, but as far as I can tell, those that use
JASPI do so for their own proprietary mechanisms.
cheers
--
Greg Wilkins <gregw_at_intalio.com> @ Webtide - *an Intalio subsidiary*
http://eclipse.org/jetty HTTP, SPDY, Websocket server and client that scales
http://www.webtide.com advice and support for jetty and cometd.