Hi,
Jakarta EE 11 is not yet released, but since there's only TCK work remaining we can (should) start thinking about Jakarta EE 12 and Security 4.1/5.0.
There's an amount of open issues, but I would like to start a discussion for some input on this.
Personally I think we should look at making security viable for Quarkus (MicroProfile). The problem there is that Quarkus (MicroProfile) uses another HTTP API, namely Jakarta REST. For Security, at least the authentication part we're using Jakarta Servlet.
The core Jakarta Authentication SPI however is protocol neutral in its API (all types are Object etc, which can be cast to a specific network object, e.g. HttpServletRequest).
Additionally, Quarkus is all about reactive, so naturally they want the security API to be reactive. There's two problems with this:
1. Developers are seemingly not super enthusiastic about reactive (it never became the default way to do HTTP)
2. There's nothing in Jakarta EE or MP supporting reactive directly
Thoughts?
Kind regards,
Arjan Tijms
