diff --git a/spec/src/main/asciidoc/authenticationMechanism.asciidoc b/spec/src/main/asciidoc/authenticationMechanism.asciidoc index 20fa6d0..69ebea8 100644 --- a/spec/src/main/asciidoc/authenticationMechanism.asciidoc +++ b/spec/src/main/asciidoc/authenticationMechanism.asciidoc @@ -14,7 +14,7 @@ In some cases (for example, username/password authentication) the interaction be The Jakarta EE Platform already specifies mechanisms for authenticating users of web applications. The Jakarta Servlet Specification, version 4.0 [https://jakarta.ee/specifications/servlet/4.0/[SERVLET40]] specifies a declarative mechanism for configuring an application to provide BASIC, DIGEST, FORM, or CERT authentication, with authentication performed automatically by the container based on the application's configuration, which, in the case of FORM authentication, can include custom form pages. -In addition, [https://jakarta.ee/specifications/authentication/1.1/[JASPIC]] specifies a general-purpose mechanism for securing messages sent between Jakarta EE clients and servers. Jakarta Authentication defines an SPI called _ServerAuthModule_, which enables development of authentication modules to handle any credential type, or engage in interaction of arbitrary complexity with clients and third parties. [https://jakarta.ee/specifications/authentication/1.1/[JASPIC]] also defines the Servlet Container Profile, which specifies howJakarta Authentication mechanisms, including _ServerAuthModules_, are integrated with the servlet container. +In addition, [https://jakarta.ee/specifications/authentication/1.1/[AUTHENTICATIONSPEC]] specifies a general-purpose mechanism for securing messages sent between Jakarta EE clients and servers. Jakarta Authentication defines an SPI called _ServerAuthModule_, which enables development of authentication modules to handle any credential type, or engage in interaction of arbitrary complexity with clients and third parties. [https://jakarta.ee/specifications/authentication/1.1/[AUTHENTICATIONSPEC]] also defines the Servlet Container Profile, which specifies howJakarta Authentication mechanisms, including _ServerAuthModules_, are integrated with the servlet container. While both existing mechanisms are important and useful, each has limitations from the point of view of an application developer. The servlet container's _login-config_ mechanism is limited to the _auth-method_ types defined by [https://jakarta.ee/specifications/servlet/4.0/[SERVLET40]] -- it doesn't support other credential types, or complex interactions with callers. It also relies on unspecified container mechanisms to associate identity stores with applications. There is no way for an application to ensure that callers are authenticated against the desired identity store, or, indeed, against _any_ identity store. @@ -307,7 +307,7 @@ See also the description of _RememberMeIdentityStore_ in Chapter 3, "<