Re: Welcome to the new JSR-375 mailing list

Will Hopkins

Hi Arjan,

Yes, it's been quiet -- I apologize for the long absence; in addition to a previously-planned week of vacation, I was given another assignment that took longer than anyone expected, and I kept my head down on that so as to get it done as quickly as I could. I've spent the last week coming back up to speed and preparing for the PR draft, which is now behind schedule.

As to the changes, I'd prefer to leave that for the upcoming email, to avoid spawning many different email threads. Mostly the changes relate to comments provided by those who reviewed the spec, points that seem to be the consensus of the EG, and also some points where there has not been consensus, but where I've made a decision based on differing points of view expressed by the EG (or community input). There are also a couple points on which I've made a unilateral decision simply because there isn't time to fully discuss things. The point of the email is to provide the EG with a least a little of time for feedback prior to publishing the PR.

I've also noticed that there are a number of interfaces in the API repo that don't correspond to things we've spec'd; the RememberMeIdentityStore, for example. I propose to move those out of the API (spec) to the RI.

What are you referring to re: 1:1 role mapping? Is that from the discussion on the ML after the last meeting?


On 05/12/2017 02:36 PM, Arjan Tijms wrote:
Hi Will,

Good to hear from you again, it has been a tad quiet at the list since the last EG call.

What are roughly speaking the API changes that still need to be done?

From the top of my head I think there's still one occurrence of getGroups returning a list. Spec wise we still need to say that the identity store getGroups method is subject to a Java SE security manager restriction.

After last call I applied a couple of other things as discussed during that call, such as the renaming and the check  in the handler that we overlooked previously.

One final thing that we should still spec is the 1:1 role mapping. We can either do this via a new element in web.xml, an annotation, both, or even something implicit (say spec text like: "If a JSR 375 authentication mechanism is configured, and not group to role mapping is not explicitly configured in a container specific way, the container *MUST* default to 1:1 group to role mapping")


Kind regards,
Arjan Tijms

On Fri, May 12, 2017 at 7:37 PM, Will Hopkins <will.hopkins@...> wrote:
JSR-375 Experts and Users:

Welcome to the new JSR-375 mailing list (

This list replaces the mailing lists previously hosted at There are no longer separate "experts" and "users" lists; this single list will be used for both purposes (which is a good simplification, since the old experts list was always forwarded to the users list anyway, creating lots of extra copies of emails). The "issues" and "commits" lists will not be replicated here, but there are other mechanisms available to be notified of changes to the github source repos or issues lists.

I have been working on updating the spec for publication of the Public Review Draft. It's not quite done, but I plan to send an email later today detailing the major changes from the EDR and corresponding changes I expect to make to the API code.


Will Hopkins | WebLogic Security Architect | +1.781.442.0310
Oracle Application Development
35 Network Drive, Burlington, MA 01803

Will Hopkins | WebLogic Security Architect | +1.781.442.0310
Oracle Application Development
35 Network Drive, Burlington, MA 01803

Join to automatically receive all group messages.