i think we are now mixing 2 separate issues:
1) spec doesn't define how to access the principals
of a Session.
2) general discovery of other principals such as needed for
the first issues was raised during the public review specially
due to the fact that the original proposal wanted to introduce
a requirement, that Session.getUserID is the same as the
principal name. i think we agreed that this is not correct.
the initially proposed and accepted solution was Session.getSubject(),
which is now questioned by d.pitfield.
and that's the aim of this bugzilla issue.
the second issue is the overall principal discovery, which
- if i'm not mistaken - would in 283 terms only be needed
for the addAccessControlEntry method: here you want to
define ACEs for different principals (and not only the
principal(s) attached to the current Session object).
we decided to remove the principal discovery from the
specification once we went through the many flaws detected
during public review. they lead to the question why we want
to specify the principal discovery at all and repeating all
the things defined in java.security.
decision was: principal discovery is out of the scope of the specification.
since the complete ac-section leaves almost everything to the
implementation, i think this was a wise move.
but maybe the logical consequence of this would also
be not to define how to access the Principal(s) of a
Session object... the this issue (getSubject or getPrincipal)
would just be obsolete.