After so many pages talking about security and how to implement it in WebLogic, the question is: why is all this custom-made and not regulated by Java EE?

Java EE 6 has the correct answer to this question: the JASPIC 1.0 specification, a message processing framework that is protocol-independent and that can do what an Authentication Provider does for us; that is, populate Subjects with Principals and therefore authenticate a remote user agent.

In a manner that is different from WebLogic Security Framework, where everything is inside a secure framework API because the message and the protocol are managed by the application server, this is done at the message level. In this way, it enforces the concept that security is something ...