For frameworks built on servlets... which really are just looking for a HTTP API and not an application API, then I think most will want to boast that they can scale to huge volumes at low latencies.
Stepping aside from the performance discussion for a moment, most practically speaking we have the issue of Jakarta REST (JAX-RS) which often sits on top of Servlet, but its spec also allows to run with an unspecified own HTTP stack. Recently Helidon and Quarkus specifically have taken that latter route.
This means the basic HTTPServletRequest and specifically HTTPServletRequest#authenticate is not guaranteed to be available in Jakarta REST. Additionally the SPI to integrate custom authentication mechanisms (which Jakarta Authentication defines) is missing here.
With my security hat on, I'd say the new HTTP API / Servlet-Lite should not include any of the authentication mechanisms that are currently included in Servlet (FORM, BASIC, CLIEN-CERT and optionally DIGEST), but should contain an SPI so frameworks can integrate those.
Kind regards,
Arjan Tijms
