On 06/07/2020 12:43, Jean-Louis MONTEIRO wrote: > Hi, > > I would like to know if there are any plans to get GenericPrincipal to > inherit CallerPrincipal? > From a backward compatibility perspective, it does not seem to hurt > because the getName() is already in the GenericPrincipal. > > The question comes because I was reading the Java Security API and this > chapter > https://javaee.github.io/security-spec/spec/jsr375-spec.html#_caller_principal_types > > Seems to advise that app server should inherit from CallerPrincipal.
JSR-375 was released after Java EE 8 - i.e. too late for Tomcat 9. Tomcat implements JASPIC, now Jakarta Authentication. We do need to look at what is changed in that spec for Jakarta EE 9 (Tomcat 10) - which should be very little. I don't think anyone has looked at looked at the Jakarta Security 2.0 spec for Jakarta EE 9 (Tomcat 10). I agree having GenericPrincipal extend CallerPrincipal should be low impact. However, it would need to be looked at in the wider context of the entire spec. We can't just pick a single class. Taking a quick look the spec depends on CDI which Tomcat does not support. Adding a dependency to that JAR just to extend CallerPrincipal seems a little excessive at this point. Mark --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org