> On Feb 14, 2018, at 11:34 AM, Romain Manni-Bucau <rmannibu...@gmail.com>
> If jsonp it can be @appscoped too technically
I was definitely advocating for that and AppScoped was supported, but it got
axed at the finish line the week before the 1.0 spec went final. We decided to
cut scope (pun intended) to get something out the door and come back and add
> > That part will be a bit tricky, but effectively we need a dependent-scoped
> > producer that can find the JWT data in the active request. Perhaps by
> > looking in the ThreadContext.
> Cant jaspic work?
Not sure to be honest.
One place I suspect will be tough is the EJB isCallerInRole checks we do are
effectively handled by our JACC code (or was). That code expects we know all
the users that exist and their permissions at startup time. During the
Assembler phase the JaccPermissionsBuilder will build a permissions object for
each role the user has. The JACC provider then becomes effectively an in
memory database of permissions objects. This again, goes against the JWT
concept as the user and the roles are in the token and there is no state in the
Not sure how we'll need to handle that or if JASPIC helps.
> Also a jwt for an ejb without a request
> means....something to define ;).
That's all defined in chapter 12
... the spec may or may not have only 10 chapters :)