Jakarta Authorization 3.0

Release for Jakarta EE 11

Jakarta Authorization defines a low-level SPI for authorization modules, which are repositories of permissions facilitating subject based security by determining whether a given subject has a given permission, and algorithms to transform security constraints for specific containers (such as Jakarta Servlet or Jakarta Enterprise Beans) into these permissions.

The primary goal of this release is to make Jakarta Authorization future proof by adding a replacement for the Policy and generally the removal of security manager. Also make it more suitable for cloud deployments, by adding an option to add policy providers programmatically for a single application. This mirrors the API available for Jakarta Authentication.

New features, enhancements or additions

• Register a policy provider programmatically per application AUTHORIZATION #98
• Standarize the context ID for Servlet containers
• Several convenience methods to make the API easier to use

Removals, deprecations or backwards incompatible changes

• Design and implement replacement for Policy AUTHORIZATION #99
• Remove references to the SecurityManager

Minimum Java SE Version

Java SE 17 or higher

Details

• Jakarta Authorization 3.0 Release Record

• Jakarta Authorization 3.0 Specification Document (PDF)

• Jakarta Authorization 3.0 Specification Document (HTML)

• Jakarta Authorization 3.0 Javadoc

• Jakarta Authorization 3.0 TCK (sig,sha,pub)

• Maven coordinates

  • jakarta.authorization:jakarta.authorization-api:jar:3.0.0

Compatible Implementations

• JDK 21: Exousia 3.0.0-M3 / Eclipse GlassFish 8.0.0-M5
• JDK 17: Exousia 3.0.0-M3 / Eclipse GlassFish 8.0.0-JDK-17-M5

Ballots

Plan Review

The Specification Committee Ballot completed on 11th July 2023.

The ballot was run in the jakarta.ee-spec mailing list

Release Review

The Specification Committee Ballot concluded successfully on 2024-05-13 with the following results.

The ballot was run in the jakarta.ee-spec mailing list