Plans to get GenericPrincipal to inherit CallerPrincipal?

[Jean-Louis MONTEIRO <je...@gmail.com>]

Hi,

I would like to know if there are any plans to get GenericPrincipal to
inherit CallerPrincipal?
From a backward compatibility perspective, it does not seem to hurt because
the getName() is already in the GenericPrincipal.

The question comes because I was reading the Java Security API and this
chapter
https://javaee.github.io/security-spec/spec/jsr375-spec.html#_caller_principal_types

Seems to advise that app server should inherit from CallerPrincipal.

Thanks

-- 
Jean-Louis

Re: Plans to get GenericPrincipal to inherit CallerPrincipal?

[Jean-Louis MONTEIRO <je...@gmail.com>]

Hello Mark,

Thanks for the quick response.
I was checking out if there were plans for it.

Glad it's on your radar.
I'm currently writing an Apache implementation on the TomEE side for the
Security API.

So definitely interested.
Would it help if I create a ticket to track the progress?


Le lun. 6 juil. 2020 à 14:50, Mark Thomas <ma...@apache.org> a écrit :

> On 06/07/2020 12:43, Jean-Louis MONTEIRO wrote:
> > Hi,
> >
> > I would like to know if there are any plans to get GenericPrincipal to
> > inherit CallerPrincipal?
> > From a backward compatibility perspective, it does not seem to hurt
> > because the getName() is already in the GenericPrincipal.
> >
> > The question comes because I was reading the Java Security API and this
> > chapter
> >
> https://javaee.github.io/security-spec/spec/jsr375-spec.html#_caller_principal_types
> >
> > Seems to advise that app server should inherit from CallerPrincipal.
>
> JSR-375 was released after Java EE 8 - i.e. too late for Tomcat 9.
>
> Tomcat implements JASPIC, now Jakarta Authentication. We do need to look
> at what is changed in that spec for Jakarta EE 9 (Tomcat 10) - which
> should be very little.
>
> I don't think anyone has looked at looked at the Jakarta Security 2.0
> spec for Jakarta EE 9 (Tomcat 10). I agree having GenericPrincipal
> extend CallerPrincipal should be low impact. However, it would need to
> be looked at in the wider context of the entire spec. We can't just pick
> a single class. Taking a quick look the spec depends on CDI which Tomcat
> does not support. Adding a dependency to that JAR just to extend
> CallerPrincipal seems a little excessive at this point.
>
> Mark
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: dev-help@tomcat.apache.org
>
>

-- 
Jean-Louis

Re: Plans to get GenericPrincipal to inherit CallerPrincipal?

[Mark Thomas <ma...@apache.org>]

On 06/07/2020 12:43, Jean-Louis MONTEIRO wrote:
> Hi,
> 
> I would like to know if there are any plans to get GenericPrincipal to
> inherit CallerPrincipal?
> From a backward compatibility perspective, it does not seem to hurt
> because the getName() is already in the GenericPrincipal.
> 
> The question comes because I was reading the Java Security API and this
> chapter
> https://javaee.github.io/security-spec/spec/jsr375-spec.html#_caller_principal_types
> 
> Seems to advise that app server should inherit from CallerPrincipal.

JSR-375 was released after Java EE 8 - i.e. too late for Tomcat 9.

Tomcat implements JASPIC, now Jakarta Authentication. We do need to look
at what is changed in that spec for Jakarta EE 9 (Tomcat 10) - which
should be very little.

I don't think anyone has looked at looked at the Jakarta Security 2.0
spec for Jakarta EE 9 (Tomcat 10). I agree having GenericPrincipal
extend CallerPrincipal should be low impact. However, it would need to
be looked at in the wider context of the entire spec. We can't just pick
a single class. Taking a quick look the spec depends on CDI which Tomcat
does not support. Adding a dependency to that JAR just to extend
CallerPrincipal seems a little excessive at this point.

Mark

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org