The goal of this release is to continue adding features and evolving the API. A number of those had been discussed and even had prototype implementations during the development of the previous version, but didn't make it in.
More specifically:
Additional authentication mechanisms:
* Client-cert and Digest SECURITY #120 ❌
* OpenID Connect SECURITY #183 ✅ *
Extended authentication mechanisms:
* Authentication mechanism per URL SECURIY #86 ❌
* User choice of authentication mechanism (login with provider X, login with provider Y, etc) ❌
* Multiple authentication mechanisms (try JWT, fallback to BASIC, etc) ❌
CDI:
* @RolesAllowed alternative ❌
* Easily adding an interceptor to a build-in CDI bean blog ✅/❌
Features
* Authorization modules blog ❌
(*) Note that OpenID Connect builds on OAuth2 by definiton of the OpenID Connect spec, but Jakarta Security has no explicit support for "plain" or "raw" OAuth2.