Re: [jakarta.ee-community] Is Jakarta EE Security missing something?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [List Home]

Re: [jakarta.ee-community] Is Jakarta EE Security missing something?

From: Arjan Tijms <arjan.tijms@xxxxxxxxxxx>
Date: Wed, 23 Apr 2025 21:48:54 +0200
Delivered-to: jakarta.ee-community@xxxxxxxxxxx
List-archive: <https://www.eclipse.org/mailman/private/jakarta.ee-community/>
List-help: <mailto:jakarta.ee-community-request@eclipse.org?subject=help>
List-subscribe: <https://www.eclipse.org/mailman/listinfo/jakarta.ee-community>, <mailto:jakarta.ee-community-request@eclipse.org?subject=subscribe>
List-unsubscribe: <https://www.eclipse.org/mailman/options/jakarta.ee-community>, <mailto:jakarta.ee-community-request@eclipse.org?subject=unsubscribe>

Hi,

I guess your answer in this forum will be that Jakarta EE is just a specification and if I need such a feature I can implement my own jaspi login module. But can that really be true? Not every developer writes his own jaspi Login module.

Certainly not. Just to get terminology right, we never had jaspi login modules. We did support the JAAS LoginModule (javax.security.auth.spi.LoginModule) via the bridge profile, but this was never a good match really.

For Jakarta Security we don't use this bridgeprofile. Authentication Mechanisms in Jakarta Security use identity stores (jakarta.security.enterprise.identitystore.IdentityStore).

Also, the name jaspi doesn't exist anymore (there's a question whether it had ever existed). Since some time it's Jakarta Authentication.

Jakarta Security depends on Jakarta Authentication by installing a ServerAuthModule that delegates to an HttpAuthenticationMechanism (jakarta.security.enterprise.authentication.mechanism.http.HttpAuthenticationMechanism).

This is what @OpenIdAuthenticationMechanismDefinition in turn is based on.

For your exact requirements; it might be good to create an issue for that at https://github.com/jakartaee/security

Kind regards,

Arjan Tijms

I myself shy away from it, because I expect that I will very quickly reach a point where I am no longer platform independent.

Can anyone help me with this question? Or am I missing an important concept of Jakarta EE all the time?
I have already written issues about this at Wildfly and soteria and on Stackoverflow. But somehow the community is silent on this topic.

https://issues.redhat.com/browse/WFLY-20498

https://github.com/eclipse-ee4j/soteria/issues/393

https://stackoverflow.com/questions/79500287/how-to-access-a-jakarta-ee-rest-application-secured-by-keycloak-in-java

https://stackoverflow.com/questions/76394897/how-to-use-oidc-in-jakarta-ee

Thanks for your help in advance

===
Ralph

--

Imixs Software Solutions GmbH
Web: www.imixs.com Phone: +49 (0)89-452136 16
Timezone: Europe/Berlin - CET/CEST
Office: Frei-Otto-Str. 4, 80797 München
Registergericht: Amtsgericht München, HRB 136045
Geschäftsführer: Gaby Heinle u. Ralph Soika

Imixs is an open source company, read more: www.imixs.org

_______________________________________________
jakarta.ee-community mailing list
jakarta.ee-community@xxxxxxxxxxx
To unsubscribe from this list, visit https://www.eclipse.org/mailman/listinfo/jakarta.ee-community

Follow-Ups:
- Re: [jakarta.ee-community] Is Jakarta EE Security missing something?
  - From: Ralph Soika

References:
- [jakarta.ee-community] Is Jakarta EE Security missing something?
  - From: Ralph Soika

Prev by Date: Re: [jakarta.ee-community] Is Jakarta EE Security missing something?
Next by Date: Re: [jakarta.ee-community] Is Jakarta EE Security missing something?
Previous by thread: Re: [jakarta.ee-community] Is Jakarta EE Security missing something?
Next by thread: Re: [jakarta.ee-community] Is Jakarta EE Security missing something?
Index(es):
- Date
- Thread

Breadcrumbs