Yes, my reply could be interpreted otherwise as intended.
MicroProfile JWT does not rely on Servlet and Jaspic today. If we integrate the spec into Jakarta Security, it does require it and this means several runties are no longer able to implement it.
Jakarta Security btw has no dependency on Jaspic. There is a dependency on the Servlet Container Profile of Jakarta Authentication, and with that Servlet.
It has been one of the great political and architectural failures (IMHO) of Jakarta EE and Microprofile that we somehow have come to a point that we must "fear" (for lack of a better term) Servlet and a simple Servlet extension to integrate authentication mechanisms.
How did we as a group, as a team, ever came to this situation? What forces caused this to happen? How did we let it happen?
J2EE back then started with Servlets as the simple and basic foundation of everything server. Servlet has been the unifying technology for pretty much everything server side Java, including things like Spring and even partially Scala frameworks like Play! Servlet 1.0 among others didn't have a simple API to integrate custom authentication modules, so this was planned for a later release. Eventually the forces that were at the time decided to put this extension API in a separate spec.
Fast forward a decade or so, and we are now in some kind of agreement that we have to "fear" Servlet and especially a few lines of APIs that would have been in Servlet itself but got moved out of it. It's a very strange situation, isn't it?
Kind regards,
Arjan Tijms
