I had a look at the PFD of Java EE 8 where Security is also referred, to, e.g. EE.184.108.40.206
- isCallerInRole (SecurityContext)
- isCallerInRole (EJBContext)
- getCallerPrincipal (EJBContext)
- isUserInRole (HttpServletRequest)
- getUserPrincipal (HttpServletRequest)
So whatever changes we still come up with, once the EE 8 umbrella goes final, the API for 1.0 should also be considered feature frozen.
Luckily there's no direct reference to anything other than the JCP detail page, so moving within GitHub seems OK even after EE 8 went Final.