Werner,

Just to make sure I've captured the net result of your feedback after discussion, the one change you'd now propose is to add a referenced to JDBC 4 in Section 3.5, in relation to the @DatabaseIdentityStoreDefinition?

Can you be more specific about the version? To Arjan's point about CDI, using a a version that's supported in EE 7 makes Soteria more portable. Looking at the JSR-221 page, looks like an MR is in process now that wants to be JDBC 4.3, and the EE 7 platform spec seems to reference JDBC 4.1 (the way the spec is written doesn't make it easy to see at a glance which versions of various specs it requires; all I found is that JDBC drivers used with EE 7 must be JDBC 4.1 compliant).

I've add this to the issue I have tracking these potential changes: https://github.com/javaee/security-spec/issues/62, so please confirm I've got it correctly.

Will

I saw, these exist in multiple places, so Servlet and EJB are mentioned in different chapters like 4.5

Nevertheless, I believe JDBC 4 should be mentioned and a reference added in 3.5 as the  @DatabaseIdentityStoreDefinition.
is part of chapter 3.

-- 
Will Hopkins | WebLogic Security Architect | +1.781.442.0310
Oracle Application Development
35 Network Drive, Burlington, MA 01803