The goal of this release is to continue adding features and evolving the API. A number of those had been discussed and even had prototype implementations during the development of the previous version, but didn't make it in.
More specifically:
Additional authentication mechanisms:
* Client-cert and Digest SECURITY #120
Extended authentication mechanisms:
* Authentication mechanism per URL SECURIY #86
* User choice of authentication mechanism (login with provider X, login with provider Y, etc)
* Multiple authentication mechanisms (try JWT, fallback to BASIC, etc)
CDI:
* @RolesAllowed alternative
* Easily adding an interceptor to a build-in CDI bean
Features
* Authorization modules
Removals, deprecations or backwards incompatible changes
* Remove references to the SecurityManager (as listed here: https://github.com/search?q=repo%3Ajakartaee%2Fsecurity%20SecurityManager&type=code)
(Note, Jakarta Security does not use the SecurityManager explicitly, but it shows up as a somewhat internal detail in the API code)