Re: ACTION REQUIRED: JSR-375 Expert Group


Arjan Tijms
 

Hi,

The JSR is ready in my opinion.

We have largely achieved what we wanted to achieve, and the things that were not done are such that they can be done in a next release. It's somewhat of a personal regret of me that we didn't get to specify the additional planned methods for the SecurityContext (specifically the login() method), and that the CDI/JSR375 version of @RolesAllowed was not incorporated.

Nevertheless, these omissions in no way take away from the core value of the current work or influence its readiness for the JSR to be released.

A few small things here and there in the JSR would not have been my first choice, but as the JCP is of course about consensus and compromises, I can absolutely live with the versions of those things about which we reached consensus.

So overall I'm really happy with the result :)

As for the spec document, there's a few small additional things I noticed, but nothing major:

>This chapter overview information and terminology related to this specification, and also includes a general requirements not specified elsewhere in this document. 

This sentence doesn't read so well.

I guess it should be something like: "This chapter contains an overview of information ..."  and "includes general requirements ..."


>
 validateRequest() will be invoked before the doFilter() method of any servlet filter or the service() method of any servlet in the application for requests to constrained as well as to unconstrained resources, and, in addition, in response to application code calling the authenticate() method on the HttpServletRequest

For completeness this should maybe include SecurityContext as well.

On page 21

>
 if (status.equals(IN_PROGRESS)) {
              facesContext.responseComplete();
          }
I just noticed this, but we forgot to update this status to the renamed version; "SEND_CONTINUE". As it's only an example it's not critical, but still...

Kind regards,
Arjan Tijms


Join javaee-security-spec@javaee.groups.io to automatically receive all group messages.