Re: Java EE and JWT (JSON Web Tokens)

Arjan Tijms

>I understand time constraints, but I am also wondering what everyone’s thoughts are on JWT?

It's something that we really wanted to have in, along with OAuth2 support. OAuth2 was in scope from the beginning of the JSR really.

While I'm happy with all the great work that we did get in, it's also frustrating to see a number of things did not get in. Especially the security interceptors (CDI based @RolesAllowed replacement) and some modern authentication mechanisms that really go beyond what Servlet offers were high on at least my wish list.

A particular issue with both the JWT and OAuth2 prototypes / proof of concepts is that the most straightforward implementation depends on external libraries. If I understand correctly it's not trivial to get approval for the use of such libraries in the RI.

The current plan that we more or less had was to put these existing proof of concepts in a separate OSS library independent of the JCP and/or the RI, polish them there, and then try to get these standardised for the next revision of the Java EE Security API. That way most Java EE 8 users would have at least access to these mechanisms, with the additional hassle of having to include the OSS library in their apps.

Kind regards,
Arjan Tijms

Join to automatically receive all group messages.