tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Ron Monzillo <>
Subject Re: Consider support for the Servlet profile of JSR 196 (JASPIC) in Tomcat 7.0.x
Date Wed, 06 Feb 2013 15:45:37 GMT
On 2/3/13 5:02 AM, Mark Thomas wrote:
> On 30/01/2013 23:57, Ron Monzillo wrote:
>> Tomcat Experts and Users,
>> The Servlet Profile of JSR 196 defines the use of the JASPIC SPI in
>> support of the portable integration
>> of new and/or custom authentication mechanisms in compatible Servlet
>> containers.
>> The Profile is a required component of all Full Platform EE Web
>> Containers, and we are receiving requests
>> for the profile to become a required component of the EE web profile. To
>> that end, we are contacting
>> standalone and EE web profile Servlet containers to determine if there
>> is interest in adopting the profile.
>> For those unfamiliar with JASPIC, the SPI is a general purpose facility
>> that applies the concepts of pluggable
>> authentication as defined by PAM and JAAS to the realm of message
>> authentication. The Servlet profile applies
>> the SPI to the realm of HttpServletRequest message authentication in the
>> context of servlet security constraint
>> processing. The SPI was defined to support complex challenge response
>> authentication protocols, and has
>> been shown to be an effective means to integrate portable
>> implementations of new internet authentication
>> mechanisms (e.g. Facebook Connect, and SAML WEB SSO) in compatible
>> Servlet containers.
>> Does the Tomcat community support the inclusion of the Servlet profile
>> of JSR 196 in the EE web Profile?
> Apache Tomcat does not currently support the Java EE web profile. Tomcat
> currently supports only the Servlet, JSP and EL specifications and will
> be adding WebSocket to that list for Tomcat 8.
> The has been very little demand from the Apache Tomcat user community to
> support the Java EE web profile. There have been just two threads on the
> users list that mention the web profile. There have been slightly more
> on the dev list.
> JASPIC was on the TODO list for Tomcat 7 for a while but it dropped off
> because a) it wasn't a mandatory requirement for Servlet containers and
> b) there was very little (no references at all on the users list) for it.
> I think it would be safe to say that the Apache Tomcat community has no
> opinion on the Java EE web profile requiring JSR 196 support. You'd
> obviously get a very different reaction if the Servlet spec was going to
> require JSR 196 support.
> Apache TomEE does support the Java EE web profile. If you haven't
> already approached that community for their views, I recommend that you
> do so.

I have posted the question to the TomEE and Caucho/Resin user's lists.

It would also help to know what the level of interest is from Tomcat 
users and developers.

I anticipate that there are Tomcat users and developers who are committed
to other approaches, but I'd like to make sure the use of JASPIC has been
presented for consideration by the Tomcat community.

I would also like to know if anyone has already done or is interested in 
the work to integrate the JASPIC  profile in the Tomcat code base.

kind regards,


> Kind regards,
> Mark
> ---------------------------------------------------------------------
> To unsubscribe, e-mail:
> For additional commands, e-mail:

To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message