Re: ACTION REQUIRED: JSR-375 Expert Group

Will Hopkins

Thanks, Arjan.

I'll add these mistakes to an issue I created to today to track a couple other typos.

My understanding is we may have an opportunity to correct that sort of mistake during/after the final ballot process. We can't change the substance of the document, but, at a minimum, the license text needs to be updated, and I've been given the impression it would be permissible to fix typos, etc. It's also possible that objections will be raised during the ballot that would need to be addressed.


On 08/02/2017 06:40 PM, Arjan Tijms wrote:

The JSR is ready in my opinion.

We have largely achieved what we wanted to achieve, and the things that were not done are such that they can be done in a next release. It's somewhat of a personal regret of me that we didn't get to specify the additional planned methods for the SecurityContext (specifically the login() method), and that the CDI/JSR375 version of @RolesAllowed was not incorporated.

Nevertheless, these omissions in no way take away from the core value of the current work or influence its readiness for the JSR to be released.

A few small things here and there in the JSR would not have been my first choice, but as the JCP is of course about consensus and compromises, I can absolutely live with the versions of those things about which we reached consensus.

So overall I'm really happy with the result :)

As for the spec document, there's a few small additional things I noticed, but nothing major:

>This chapter overview information and terminology related to this specification, and also includes a general requirements not specified elsewhere in this document. 

This sentence doesn't read so well.

I guess it should be something like: "This chapter contains an overview of information ..."  and "includes general requirements ..."

 validateRequest() will be invoked before the doFilter() method of any servlet filter or the service() method of any servlet in the application for requests to constrained as well as to unconstrained resources, and, in addition, in response to application code calling the authenticate() method on the HttpServletRequest

For completeness this should maybe include SecurityContext as well.

On page 21

 if (status.equals(IN_PROGRESS)) {
I just noticed this, but we forgot to update this status to the renamed version; "SEND_CONTINUE". As it's only an example it's not critical, but still...

Kind regards,
Arjan Tijms

Will Hopkins | WebLogic Security Architect | +1.781.442.0310
Oracle Application Development
35 Network Drive, Burlington, MA 01803

Join to automatically receive all group messages.