Jakarta Security 3.0 Release Review

End Date of the Review Period

Reviews run for a minimum of one week. The outcome of the review is decided on this date. This is the last day to make comments or ask questions about this review.




The goal of this release is to continue adding features and evolving the API. A number of those had been discussed and even had prototype implementations during the development of the previous version, but didn't make it in.

More specifically:

Additional authentication mechanisms:

* Client-cert and Digest SECURITY #120 ❌

* OpenID Connect SECURITY #183 ✅ *

Extended authentication mechanisms:

* Authentication mechanism per URL SECURIY #86 ❌

* User choice of authentication mechanism (login with provider X, login with provider Y, etc) ❌

* Multiple authentication mechanisms (try JWT, fallback to BASIC, etc) ❌


* @RolesAllowed alternative ❌

* Easily adding an interceptor to a build-in CDI bean blog ✅/❌


* Authorization modules blog ❌

(*) Note that OpenID Connect builds on OAuth2 by definiton of the OpenID Connect spec, but Jakarta Security has no explicit support for "plain" or "raw" OAuth2.

Conforms To UI/UX Guidelines
Not verified
This release is part of Jakarta 10