The Java EE Security API just posted its first early draft review. Because of the now-accelerated Java EE 8 schedule, the rest of the steps towards finalization of the specification are going to happen very quickly.

Java EE security is one of the most anticipated changes in Java EE 8. This is the case particularly because security is one of the last areas left to be revamped in the way most other Java EE APIs, such as EJB 3, have been changed radically. As a result, Java EE security is very highly dependent on things like vendor-specific GUI console wizards, vendor-specific configuration, or command-line administrative tools. Pluggability, extensibility, and customization are also currently challenging when the security features that already come with the application server are not sufficient. This is the main reason for the existence of third-party security frameworks in server-side Java, like Shiro and Keycloak. The Java EE Security API aims to solve these important issues and promote both simplicity and portability, particularly in the cloud.

The best way to learn more about what is in the specification is looking at the specification draft itself. Another great way to get yourself familiarized is looking at the slide deck from key expert group member and my friend Rudy De Busscher (please click here if you can't see the embedded deck).

While the specification is going to be finalized soon, there are still plenty of reasons to get involved. Indeed, this has been one of the most heavily community-driven Java EE 8 specifications. Here are the many ways you can still engage (most of this comes directly from the Adopt-a-JSR page I drafted while still at Oracle):

• You can still join the specification itself as an expert or a contributor. You can do that via the JCP page for the specification.
• You can have your JUG officially support the standard through Adopt-a-JSR.
• You can simply join the discussion without any ceremony by subscribing to the Java EE Security API specification user alias.
• You can share ideas and feedback, possibly by entering issues in the public issue tracker.
• You can read the draft specification now.
• You can try out the reference implementation now.
• You can write or speak about the API now.
• You can encourage others to participate.

The next step is up to you. You can be a part of the effort to simplify and improve security in server-side Java. If you have any questions, I am happy to try to help — just drop me a note any time.