Re: Welcome to the new JSR-375 mailing list
On Fri, May 12, 2017 at 10:20 PM, Will Hopkins <will.hopkins@...> wrote:
By the JCP rules, everything that's in the API is also in the spec. In JSF for example there are quite an amount of things that are only in the Javadoc of the API and are then considered spec'd. For JSF 2.3, which we recently finished, I again double checked this.
Maybe it would help to reach out to Ed Burns (cc'ed) for this specific point, who is very experienced in this area and may be able to clarify this.
I don't think that should be needed. This was added relatively early to the spec, has received much positive feedback, and there are no problems with it that I know of.
It doesn't appear in the PDF, but as mentioned, not everything has to be put in there. If it's in the Javadoc it's considered part of the spec.
Nevertheless if you, or someone else in the EG, prefers a section for this in the EDR I can easily add this, but technically it should not be needed (should not be needed for the process).
(Re)moving it at this stage is probably risky, since the feature is also closely related to the form and custom form authentication mechanisms.
In practice it seems that almost all platforms should hopefully not have much issues with this. It used to be quite different with GlassFish, WebSphere and WebLogic all mandating group to role mapping. Currently Liberty defaults to this default mapping when JASPIC is used and WebLogic when no explicit configuration is present. JBoss and TomEE never mandated this. GlassFish still mandates it, but has an option to switch it off already.