javaee-security-spec
diff --git a/‎LICENSE-template.txt
+2-2 b/‎LICENSE-template.txt
+2-2
diff --git a/‎LICENSE.html
+4-3 b/‎LICENSE.html
+4-3
diff --git a/‎LICENSE.txt
+2-2 b/‎LICENSE.txt
+2-2
diff --git a/‎README.adoc
+1-1 b/‎README.adoc
+1-1
diff --git a/‎pom.xml
+1-1 b/‎pom.xml
+1-1
diff --git a/‎src/main/doc/authenticationMechanism.asciidoc
+67-60 b/‎src/main/doc/authenticationMechanism.asciidoc
+67-60
diff --git a/‎src/main/doc/concepts.asciidoc
+44-9 b/‎src/main/doc/concepts.asciidoc
+44-9
@@ -9,8 +9,8 @@
 // 
 // Specification: JSR-375 Java EE Security API ("Specification")
 // Version: 1.0
-// Status: Early Draft Review
-// Release: March 2017
+// Status: Public Review
+// Release: May 2017
 // 
 // Copyright 2017 Oracle America, Inc.
 // 500 Oracle Parkway, Redwood City, California 94065, U.S.A.
 
@@ -2,7 +2,7 @@
 <html xmlns="http://www.w3.org/1999/xhtml">
 <head>
 <meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1" />
-<title>Untitled Document</title>
+<title>JSR-375 Public Review License</title>
 </head>
 <body>
 <p>
@@ -17,9 +17,9 @@
 <br>
 Version: 1.0
 <br>
-Status: Early Draft Review
+Status: Public Review
 <br>
-Release: March 2017
+Release: May 2017
 <p>
 Copyright 2017 Oracle America, Inc.
 <br>
@@ -58,6 +58,7 @@
 initiating its download, where the list or link is under Licensee's control; and
 <br>
 (iii) includes the following notice:
+<br>
 "This is an implementation of an early-draft specification developed under the Java Community Process
 (JCP) and is made available for testing and evaluation purposes only. The code is not compatible with
 any specification of the JCP."
 
@@ -7,8 +7,8 @@ THIS PAGE AND THE DOWNLOADING PROCESS WILL NOT CONTINUE.
 
 Specification: JSR-375 Java EE Security API ("Specification")
 Version: 1.0
-Status: Early Draft Review
-Release: March 2017
+Status: Public Review
+Release: May 2017
 
 Copyright 2017 Oracle America, Inc.
 500 Oracle Parkway, Redwood City, California 94065, U.S.A.
 
@@ -21,4 +21,4 @@ The AsciiDoc specification source is located in this directory:
 
 == Making Changes
 
-Master is now at GitHub, mirrored back to java.net.
+To propose changes, please submit a pull request.
@@ -4,7 +4,7 @@
 
     <groupId>javax.security</groupId>
     <artifactId>javax.security-spec</artifactId>
-    <version>1.0-edr</version>
+    <version>1.0-prd</version>
     <packaging>pom</packaging>
 
     <name>EE Security API Specification</name>
 
@@ -9,8 +9,8 @@
 // 
 // Specification: JSR-375 Java EE Security API ("Specification")
 // Version: 1.0
-// Status: Early Draft Review
-// Release: March 2017
+// Status: Public Review
+// Release: May 2017
 // 
 // Copyright 2017 Oracle America, Inc.
 // 500 Oracle Parkway, Redwood City, California 94065, U.S.A.
@@ -141,11 +141,46 @@
 
 [[concepts]]
 
-== Concepts
+== Concepts and General Requirements
 
-* authentication
-* authorization
-* credential
-* jaspic
-* java servlet specification
-* token
+This chapter overview information and terminology related to this specification, and also includes a general requirements not specified elsewhere in this document.
+
+=== Terminology And Acronyms
+
+A common understanding of security-related terms is helpful for discussion or specification of security APIs. To that end, we incorporate by reference the excellent https://shiro.apache.org/terminology.html[Apache Shiro Terminology], and define some additional terms used in this document.
+
+Authentication Mechanism ::
+The mechanism by which authentication is performed. This mechanism interacts with the caller to obtain credentials and invokes an identity store to match the given credentials with a known user (identity). If a match is found, the Authentication Mechanism uses the found identity to populate attributes (principals) to build an authenticated Subject. If a match is not found, the Authentication Mechanism reports a failed authentication, the caller is not logged in, and is unable to be given authorization.
+
+Caller, Caller Principal::
+A caller is a user that is making a request to an application, or invoking an application API. A Caller Principal is a Principal object representing that user. This specification uses the term caller in preference to the term user in most contexts.
+
+HAM::
+Abbreviation for _HttpAuthenticationMechanism_, an interface defined by this specification.
+
+Identity Store::
+An Identity Store is a component that can access application-specific security data such as users, roles, and permissions. It can be thought of as a security-specific DAO (Data Access Object). Synonyms: security provider, repository, store, login module (JAAS), identity manager, service provider, relying party, authenticator, user service. Identity Stores usually have a 1-to-1 correlation with a data source such as a relational database, LDAP directory, file system, or other similar resource. As such, implementations of the _IdentityStore_ interface use data source-specific APIs to discover authorization data (roles, permissions, etc), such as JDBC, File IO, Hibernate or JPA, or any other Data Access API.
+
+JASPIC::
+Java Authentication SPI for Containers.
+
+SAM::
+Abbreviation for _ServerAuthModule_, an interface defined by JASPIC.
+
+=== General Requirements
+
+The following general requirments are defined by this specification.
+
+==== Group-To-Role Mapping
+
+Various Java EE specifications define how roles are declared for an application, and how access to application resources can be restricted to users that have a specific role. The specifications are largely silent on the question of how users are assigned to roles, however. Most application servers have proprietary mechanisms for determining the roles a user has.
+
+Application servers MUST provide a default mapping from group names to roles. That is, a caller who is a member of group "foo" is considered to have role "foo". This default mapping MAY be overridden by proprietary configuration, but, when not overridden, provides sensible and predictable behavior for portable applications.
+
+An application MAY provide a default mapping from caller principal names to roles. That is, a caller with the name "bar" is considered to have role "bar". This default mapping MAY be overridden by proprietary configuration.
+
+==== Caller Principal Types
+
+This specification defines a principal type called _CallerPrincipal_ to represent the identity of an application caller. Historically, application servers have used different principal types to represent an application's callers, and various Java EE specifications (e.g., JASPIC), provide abstractions to accomodate, "the container's representation of the caller principal".
+
+This specification RECOMMENDS that Java EE application servers that rely on container-specific caller principal types derive those types by extending _CallerPrincipal_, so that portable applications can rely on a consistent representation of the caller principal.
Original file line number	Diff line number	Diff line change
`@@ -21,4 +21,4 @@ The AsciiDoc specification source is located in this directory:`
`21`	`21`
`22`	`22`	`== Making Changes`
`23`	`23`
`24`		`-Master is now at GitHub, mirrored back to java.net.`
	`24`	`+To propose changes, please submit a pull request.`