Thanks for moving forward with this. I think I added the SecurityContext references, but I probably should have thought through that better. In general, I think the reasoning to keep the polaris-core agnostic of REST or web services is a good approach.
For the core changes, I think it's also important to not over-rely on CDI for injection of request-scoped dependencies, like PolarisPrincipal. AFAICT, from the PR, it looks like the PolarisPrincipal is passed into the ResolverFactory as a method argument and everything else is wired from that, so I think that satisfies that goal from my perspective. Mike On Mon, Nov 3, 2025 at 8:51 AM Dmitri Bourlatchkov <[email protected]> wrote: > Hi All, > > PR [2932] proposes to replace SecurityContext parameters with > PolarisPrincipal. > > From my POV this change makes sense because SecurityContext is specific to > Web / REST frameworks (rs-api) while PolarisPrincipal is a Polaris concept > and depends only on pure JRE interfaces. > > Overall, this PR reduces the dependency on Web / REST libraries in > polaris-core. > > The PR has been in review since Oct 31. I propose to merge on Nov > 4. Please comment or reply to this thread if you have any concerns. > > [2932] https://github.com/apache/polaris/pull/2932 > > Thanks, > Dmitri. >
