servlet icon indicating copy to clipboard operation
servlet copied to clipboard

Published 20 hours ago verified publisher icon jakartaee

Standardize authentication modules in Servlet

Open glassfishrobot opened this issue 11 years ago • 7 comments

13.6.5 of the Servlet spec says that it's recommended that Servlet containers use the Servlet Container Profile of the Java Authentication SPI for Containers (aka JASPIC, i.e. JSR 196).

In order to facilitate portability and a steady base to build upon for the entire Java EE platform, I'd like to propose to change this from "recommended" to "mandated".

glassfishrobot avatar Oct 31 '14 08:10 glassfishrobot

  • Issue Imported From: https://github.com/javaee/servlet-spec/issues/114
  • Original Issue Raised By:@glassfishrobot
  • Original Issue Assigned To: @glassfishrobot

glassfishrobot avatar Jun 06 '18 08:06 glassfishrobot

@glassfishrobot Commented Reported by arjan_t

glassfishrobot avatar Oct 31 '14 08:10 glassfishrobot

@glassfishrobot Commented arjan_t said: P.s, a change in section 15.3.3 is also needed.

This section now says that all Servlet containers must implement JASPIC in a Java EE product or a product that supports JASPIC.

For this section I'd like to propose removing the conditional so that the section simply holds for all Servlet containers.

The section in 15.3.3 now reads as follows:

In a Java EE product, or a product that includes support for The Java Authentication SPI for Containers (JASPIC, i.e, JSR 196), all Servlet containers MUST implement the Servlet Container Profile of the JASPIC specification.

After the proposed change this would become:

All Servlet containers MUST implement the Servlet Container Profile of the JASPIC specification.

For completeness, the section in 13.6.5 now reads:

To facilitate portable implementation and integration of additional container authentication mechanisms, it is recommended that all Servlet containers implement the Servlet Container Profile of The Java Authentication SPI for Containers

After the proposed change this would become:

To facilitate portable implementation and integration of additional container authentication mechanisms, it is mandated that all Servlet containers implement the Servlet Container Profile of The Java Authentication SPI for Containers

glassfishrobot avatar Oct 31 '14 19:10 glassfishrobot

@glassfishrobot Commented This issue was imported from java.net JIRA SERVLET_SPEC-114

glassfishrobot avatar Apr 26 '17 06:04 glassfishrobot

I don't think Servlet should require JASPIC, @gregw @markt-asf what are your thoughts on this?

stuartwdouglas avatar Sep 10 '20 00:09 stuartwdouglas

I would like there to be a vibrant third party market of pluggable authentication and authorization modules.... but therejust isn't and JASPIC has not made one grow.

I think implementations are available, so the issues with it not becoming popular are unlikely to be resolved by mandating its availability. Furthermore I don't think mandating it will make any container that currently supports it as an optional feature change to make it non optional.

So I'm -1 and close this issue

gregw avatar Sep 10 '20 08:09 gregw

I think recommended is the right choice here.

markt-asf avatar Sep 10 '20 08:09 markt-asf

The consensus is, effectively, 'won't fix' so closing.

markt-asf avatar Mar 22 '24 16:03 markt-asf