Jakarta Security 3.0

The goal of this release is to continue adding features and evolving the API. A number of those had been discussed and even had prototype implementations during the development of the previous version, but didn't make it in.

More specifically:

Additional authentication mechanisms:

* Client-cert and Digest SECURITY #120 ❌

* OpenID Connect SECURITY #183 ✅ *

Extended authentication mechanisms:

* Authentication mechanism per URL SECURIY #86 ❌

* User choice of authentication mechanism (login with provider X, login with provider Y, etc) ❌

* Multiple authentication mechanisms (try JWT, fallback to BASIC, etc) ❌


* @RolesAllowed alternative ❌

* Easily adding an interceptor to a build-in CDI bean blog ✅/❌


* Authorization modules blog ❌

(*) Note that OpenID Connect builds on OAuth2 by definiton of the OpenID Connect spec, but Jakarta Security has no explicit support for "plain" or "raw" OAuth2.

Release Date
Release Type
Major release (API breakage)
This release is part of Jakarta 10