JAAS, JASPIC and Jakarta Security are all different. Tomcat does not implement Jakarta Security so removing JAAS creates a gap in my opinion.
I'd second Romain, JASPIC requires a SAM to be implemented by the application. Long story short, I'd probably deprecate for 10.x and target a removal for 11.x Le lun. 26 avr. 2021 à 18:17, Mark Thomas <ma...@apache.org> a écrit : > In reviewing references to Java EE (and J2EE) remaining in the Tomcat 10 > repo I found the following: > > <quote source="webapps/docs/config/realm.xml"> > JAASRealm is prototype for Tomcat of the JAAS-based J2EE authentication > framework for J2EE v1.4, based on the <a > href="https://www.jcp.org/en/jsr/detail?id=196";>JCP Specification > Request 196</a> to enhance container-managed security and promote > 'pluggable' authentication mechanisms whose implementations would be > container-independent. > </quote> > > JSR became JASPIC (now Jakarta Security) and Tomcat has an implementation. > > Searching through the mailing lists I found the following references to > usage of the JAASRealm (going back ~5 years). > > [1] Tomcat 7 user using JAAS based auth to an LDAP server > [2] Tomcat 9 user using SPNEGO with the JAAS realm > [3] Tomcat 8.5 user using SPNEGO with the JAAS realm > [4] Tomcat 7 users with custom CLIENT-CERT auth based on JAAS realm > [5] User wanting access to HttpServletRequest during auth > > Most, if not all, of those have better solutions available than the JAAS > Realm. And those wanting some form of custom auth do have the "proper" > Jakarta Security API to work with. > > Therefore, I'm not currently seeing a good reason to keep the JAASRealm. > Any objections to immediate deprecation with removal planned for 10.1.x? > > Mark > > > [1] http://markmail.org/message/ndvr5ilxovoo4ins > [2] http://markmail.org/message/5ocdnmqvvlvjsxas > [3] http://markmail.org/message/wki275i5yhlg3yyo > [4] http://markmail.org/message/av2sv6g4kgm6ouu4 > [5] http://markmail.org/message/fm4ggo3ge4r47gar > > --------------------------------------------------------------------- > To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org > For additional commands, e-mail: dev-h...@tomcat.apache.org > > -- Jean-Louis
