Skip to main content

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [List Home]
Re: [jakartaee-platform-dev] Moving MicroProfile JWT to JakartaSecurity?

On Wed, Nov 9, 2022 at 9:50 PM Scott Stark <starksm64@xxxxxxxxx> wrote:
The only place the Jakarta API usage other than CDI shows up is in the org.eclipse.microprofile.jwt.tck.container.* package of the TCK tests. All of those other than org.eclipse.microprofile.jwt.tck.container.jaxrs.* could be moved to the Jakarta Security project in my view, as they stretch requirements for MP implementation to unused specs.

I don't see why the core API and spec cannot remain in MP and the security specs build on that.

More or less the same reason why we included say extensionless URLs in Faces, and didn't ask users to just use OmniFaces? There's a benefit to having JWT among the list of supported authentication mechanisms in the base spec instead of asking users to install an external library. In this case users would have to add an MP Config implementation and a Jakarta EE compatible MP JWT implementation to their wars. It's of course possible, but not ideal.

Also, what if it happened the other way around? What if MP wants to add an Open ID Connect authentication mechanism (which Jakarta EE already has)?

In general Jakara needs to use better composition to allow for more layered usage, and EJB, Servlet and JAXRS related APIs need to be in separate artifacts.

I'm not sure about this. Aren't the EJB, Servlet and REST APIs not already separate artefacts? e.g.  

Kind regards,
Arjan Tijms


Back to the top