Jakarta Authentication 3.0

Jakarta Authentication defines a general low-level SPI for authentication mechanisms, which are controllers that interact with a caller and a container’s environment to obtain the caller’s credentials, validate these, and pass an authenticated identity (such as name and groups) to the container.

Jakarta Authentication consists of several profiles, with each profile telling how a specific container (such as Jakarta Servlet) can integrate with- and adapt to this SPI.

New features, enhancements or additions

• Issue #87: Add generics to the API
• Issue #128: Add methods for adding and removing a single server auth module
• Issue #5: Add key for isAuthenticationRequest to server container profile.
• Issue #130: Add default methods to ServerAuth and ClientAuth
• Issue #132: Add constructor variants taking a cause to AuthException
• Issue #134: Clarify interaction of Servlet profile with some other specs
• Issue #136: Clarify PasswordValidationCallback
• Issue #119: Clarified state expectations of callbackhander for per-request state

Removals, deprecations or backwards incompatible changes

• Issue #138: Deprecate SecurityManager usage in light of JDK 17/JEP 411