First if this is a road
people wanted to go down then it would first
have to be deprecated from Web profile as it is
a major breaking change so Jakarta EE 11 is too
soon.
It would be deprecated in EE 11 indeed, not yet
removed as a requirement for that profile.
Second there isn’t
currently a CDI mechanism for doing every thing
that is done with EJB-lite. Therefore I think we
need to have CDI equivalents for capabilities of
Session beans. These could be spread between
different specifications e.g. @Pooled into
concurrency.
Indeed, there's a handful of features / services not
readily available yet. Reza Rahman enumerated them all
the way back in 2012, and that list can still be used as
a tracker. Essentially this one at the time was created
in response of Reza's list:
https://github.com/omnifaces/omniservices
It indeed contains the @Pooled. After 9 years (7
since commit) it could be updated a little bit, but not
that much as the underlying CDI APIs didn't change much.
That one can be used as a prototype.
Both these could be used as a starting point to
define a spec based version on.
Finally use of the
@RunAs, @RolesAllowed etc. needs to be
normalised across specs to ensure behaviour
would be equivalent on a CDI bean as it would be
on an EJB in all specifications.
True. This had been on the radar for Security 3.0,
see
https://projects.eclipse.org/projects/ee4j.es/releases/3.0
Unfortuantely it just didn't happen, but it's there.
The bar for just emulating how EJB does it is fairly
low, but we'd likely want to give it a little more of a
kick in a CDI version. For instance, especially for
Jakarta REST / JAX-RS and potentially Servlet we
probably want an option to have an authentication
mechanism invoked when the caller appears to be not
authenticated. We might use our experience with
the @RolesAllowed interpretation in MP/JWT there.
Ultimately it may be possible
to replace @Stateless with a stereotype that
includes a bunch of other relevant interceptor
annotations to get the same behaviour as a
Stateless EJB on a CDI bean.
Kind regards,
Arjan Tijms