Find JSRs
Submit this Search

Ad Banner

JSRs: Java Specification Requests
JSR 375: JavaTM EE Security API

Open Nominations

Nomination Type Full Name Biography Spec Lead Comments Submission date Spec Lead Vote PMO Vote

Approved Nominations

Nomination Type Full Name Biography Spec Lead Comments Submission date Spec Lead Vote PMO Vote
Expert Group Ajay Reddy Ajay Reddy has been working in the J2EE security area for more than 7 years. As part of this he has been an active participant in designing and implementing a JACC and JASPI provider. His current work involves implementing the latest J2EE specifications for security in application servers. Mar 15, 2015 Y Y
Expert Group Jean-Louis Monteiro I've been working with Java EE for more than 10 years. I have a long experience in security due to my background. Indeed, I worked 10 years in a big company, working on online transaction processing (banque, insurance, etc). I've a pretty good knowledge on things like PKI, PCI (paiement), security API and framework (Spring security, Apache Shiro) as well as other specifications like OpenID, OAuth, to name a few. Apache committer on the application server Apache TomEE, I've been involved in implementing security support (REST, SOAP). Feb 23, 2015 Y Y
Expert Group Pedro Igor Silva Pedro Igor Silva is current involved on several security related projects at Red Hat. Feb 18, 2015 Y Y
Expert Group Darran Lofthouse I am a software engineer on the WildFly project within Red Hat specialising in security of the application server. I am currently lead of the WildFly Elytron project which is part of a wider initiative to overhaul the security architecture for the application server. This initiative includes many of the areas also included by this JSR. Feb 6, 2015 Y Y
Expert Group Adam Bien Consultant and author Adam Bien is an Expert Group member for the Java EE 6 and 7, EJB 3.X, JAX-RS, and JPA 2.X JSRs. He has worked with Java technology since JDK 1.0 and with Servlets/EJB 1.0 and is now an architect and developer for Java SE and Java EE projects. He has edited several books about JavaFX, J2EE, and Java EE, and he is the author of Real World Java EE Patterns—Rethinking Best Practices and Real World Java EE Night Hacks—Dissecting the Business Tier. Adam is also a Java Champion, Top Java Ambassador 2012, and JavaOne 2009, 2011, 2012 and 2013 Rock Star. Adam occasionally organizes Java EE workshops at Munich’s airport ( Jan 31, 2015 Y Y
Expert Group David Blevins Long-time participant in Java EE related JSRs. EJB 3.0 and onward, Java EE 6 and onward. High priority item for me and security makes up a large chunk of my time these days. Jan 27, 2015 Y Y
Expert Group Arjan Tijms I studied computer science at the University of Leiden, the Netherlands and have worked with Java EE for well over 10 years. I have contributed some ideas to the JASPIC 1.1 spec and have developed a set of tests for this that has been used by various vendors to improve their implementation. I maintain a blog at where I've published a number of articles dedicated to Java EE security which have been well received by the community. Furthermore I have submitted a number of security related JIRA issues to several Java EE trackers, and am incubating a Java EE security utility library (OmniSecurity). Jan 23, 2015 Y Y
Expert Group Rudy De Busscher Bio: Rudy De Busscher is a Java EE Expert who has done several projects with a multitude of technologies, most of the time with JSF in the front. He has given training to many developers and students and has coached various teams. Always explaining state of the art technologies and how you can build applications today for tomorrow. Qualifications: * I have created the Octopus Framework (see also It gives you a permission based security framework for Java EE which is highly customizable, CDI integrated and focused on type-safety. You can protect URL’s, JSF components, CDI methods and EJB invocations with one and the same permission check code. * I have done several projects where security is an important aspect. In the following projects, aspects like authentication, authorization and encryption are used. - LIMS (Labo Information Management System) project. Manages the analysis of samples in a laboratory. Patient confidentiality is an import aspect here and thus several security levels are applied. - REST backend for a mobile application used by home nursing personal. It gathers all personal and health information of the visited persons. Again patient confidentiality is important here. - KBO-WI, the central registry for enterprises and self employed of the Belgian government. Contains among others name, address and allowed activities Jan 19, 2015 Y Y
Expert Group Les Hazlewood Les Hazlewood is the CTO and co-founder of Stormpath, a cloud API service for user authentication, access control and identity management. Les is also the PMC Chair for the Apache Shiro security framework for the JVM and a frequent speaker on application and API security and design. Prior to founding Stormpath, he held senior architectural positions at Bloomberg and Delta Airlines. He has been actively involved in Open Source for more than 10 years on projects like the Spring Framework, JBoss, and Apache Shiro. Jan 13, 2015 Y Y
Expert Group Werner Keil Werner is Build Manager at Heidelberg Printing after working on a Real Time/ETCS project for Thales, Build Manager at Maersk and Agile Coach, Principal Consultant and Distinct Architect for a Financial Services company. Helping Global 500 Enterprises across industries like Mobile/Telco, Web 2.0, Finance, Travel/Logistics, Automotive, Healthcare, Environment & Public Services, as well as IT vendors like Oracle or IBM. Among earlier clients was Sony where he designed and implemented micro-format based tags its online music portals. He has worked for more than 25 years as a project manager, software architect, analyst and consultant on leading-edge technologies for Banking, Insurance, Telco/Mobile, Media and Public sector. Werner develops enterprise systems using Java, JEE, Oracle, IBM or Microsoft, does Web design and development using Adobe, JavaScript, dynamic or functional languages. Werner is Committer at Apache Foundation, Eclipse Foundation, UOMo Project Lead, cofounder of the Agorava project and active member of the Java Community Process, in JSRs like 321 (Trusted Java), 331 (CP), 333 (JCR), 342 (Java EE 7), 344 (JSF 2.2), 346 (CDI 1.1), 350 (Java State), 351 (Java Identity), 354 (Money), 358/364 (, 360/361 (ME Embedded), 362 (Portlet 3), 363 (Unit-API, also Spec Lead), 365 (CDI 2) and only Individual Member of the Executive Committee outside the US. Jan 12, 2015 Y Y
Expert Group Will Hopkins Will Hopkins is the WebLogic Security Architect and has worked in software security for many years. Dec 12, 2014 Y Y
Expert Group Shane Bryzak Software developer at Red Hat, lead architect for PicketLink, developed TCK for JSR-299 Dec 8, 2014 Y Y
Expert Group Matt Konda I am a longtime (since 1999) java developer turned application security specialist. I am also active in (and on the board of directors of) OWASP. I use a variety of security frameworks with Java, including ESAPI, Spring Security and others. My business is 100% focused on helping companies build more secure applications, often with code review and custom development. Nov 26, 2014 Y Y
Expert Group Ivar Grimstad Bio: Ivar Grimstad is an experienced software architect focusing on Enterprise Java. He is member of the Java Community Process and in the Expert Group for JSR 371 (MVC 1.0). He has been working with Java since the beginning and has over the years tried out everything from lightweight mobile applications to large scale enterprise applications. His experience covers all aspects of designing architectures based on a variety of technologies including standard Java EE as well as more lightweight frameworks such as Spring and a variety of open source products. Qualifications for this JSR: - Great deal of experience using existing Java EE Security, both programmatic and declarative - Implemented specific application domain security where needed - Lots of experience using Spring Security in Spring-based applications Nov 26, 2014 Y Y
Contributor Fatih Mutluay I am currently working as a Middleware Systems Architect and i have over 7 years experience as Java EE developer/Middleware Systems Architect. I want to join the JSR 375 as a contributor. Feb 2, 2017 Y Y
Contributor Reza Rahman I am a long-time Java EE author, speaker, blogger and former Java EE evangelist at Oracle. I have been a key supporter of this JSR and some of my ideas helped launch it. Jan 20, 2017 Y Y
Contributor Elder Moraes I am a software developer passionate about Java EE Development and Systems Architecture. Experienced in projects in many areas, from financial and legal to human resources and logistics. Speaker in events like JavaOne and The Developers Conference, focusing on how developers can improve their projects with better understanding of architecture challenges. Dec 6, 2016 Y Y

Processed Nominations

Nomination Type Full Name Biography Spec Lead Comments Submission date Spec Lead Vote PMO Vote
Expert Group Frappé Arturo Hello, my name is Arturo (First Name) Frappé (Last Name) I'm a Java believer developer. Since 2005, I've been working with Hibernate / JPA / JSP / JSF / JUnit since then. I know about Java EE containers, like Weblogic, Gassfish and JBoss. I think that I have sufficient qualifications to test and debug some other's people code. I like to read Java code and guess what the programmer tried to express. Some time ago I found a Firefox bug (, then I submitted a fix, but I could not get it merged in to the cvs tree. Jun 22, 2016 - XM
Expert Group Patrycja Wegrzynowicz Expert specializing in automated software engineering, patterns and anti-patterns in software, and language semantics. Working on automated detection and refactoring of software defects, including security vulnerabilities, performance anti-patterns, concurrency and database issues. Finalizing PhD in Computer Science at University of Warsaw. Active author and speaker at academic and industrial conferences on such topics as: security, orm, performance. Please, find more information at: Nov 13, 2015 - XM
Expert Group Dave Franken This nominee, henceforth called "I", has successfully created a JASPIC SAM based on various other standards, like SAML and JSON Web Tokens. While struggling with JASPIC, I discovered that it really is low level and found a lot of holes and opportunities for improvement. I ended up having a fruitful discussion with Arjan Tijms based on a simple StackOverflow question. He pointed me towards the JASPIC specs and its issues. Now that I've found out about this shiny new API which looks like it will modernize JASPIC, it seems a perfect moment to join and do my part. My JASPIC SAM uses the SAML AuthnRequest / Response protocol (HTTP POST) and validates JSON Web Tokens to simplify authentication for underlying applications. Currently it's used for simple JSP, REST services and SOAP services: all use Servlets underneath so they all go through the SAM. At first, a user goes to a webpage and needs to authenticate and this is done with SAML. After he is authenticated and comes back to the site, the site can create tokens for the user (with getUserPrincipal) and use those tokens for REST services on another server. The other server has the same SAM installed, validates the tokens, gets the subject from it and installs that into the UserPrincipal so once again, the REST service can simply call getUserPrincipal. Jun 7, 2015 - XM
Expert Group Anatole Tresch I am working for Credit Suisse as technical architect dealing with all kind of application development areas using Java (SE and EE). Mar 25, 2015 P Y
Contributor Frappé Arturo I'm a Java believer developer. Since 2005, I've been working with Hibernate / JPA / JSP / JSF / JUnit since then. I know about Java EE containers, like Weblogic, Gassfish and JBoss. I think that I have sufficient qualifications to test and debug some other's people code. I like to read Java code and guess what the programmer tried to express. Some time ago I found a Firefox bug (, then I submitted a fix, but I could not get it merged in to the cvs tree. Jun 22, 2016 - XM
Contributor Reza Rahman Reza Rahman is a long time consultant now working at CapTech. He has been a Java EE technologist at Oracle. He is the author of the popular book EJB 3 in Action. Reza is a frequent speaker at Java User Groups and conferences worldwide including JavaOne and Devoxx. Reza led the Java EE track at JavaOne and is a JavaOne Rock Star Speaker award recipient. He is an avid contributor to industry journals like JavaLobby/DZone and TheServerSide. Reza has been a member of the Java EE, EJB and JMS expert groups. He implemented the EJB container for the Resin open source Java EE application server. Jun 20, 2016 - Y
    Spec Lead Vote Legend:
    -Not yet reviewed/pending - The Spec Lead has not processed this nomination
    PProcessing - The Spec Lead has seen the nomination and needs more time to arrive at a decision
    NNo - The Spec Lead has decided that this nominee should not be on the JSR
    YYes - The Spec Lead wants the nominee on the JSR

    PMO Vote Legend:
    -The PMO has not yet voted on this nomination
    PProcessing - The nominee can not yet participate on this JSR, but the legal agreements are being processed
    IIncomplete, Illegible, or Inaccurate nomination
    XAMissing required agreement to participate on this JSR - Addendum (ECA) Required
    XMMissing required agreement to participate on any JSR - Not a JCP Member
    XNot able to be on a JSR - The PMO has determined that this person cannot be on this JSR
    YYes - The PMO views this as a valid nomination with a current Membership in place