Just read over Jason Hunter's summary of the servlet 2.5 spec. Easiest way to sum it up is to point out that the two things I wanted most got punted for future consideration:
To the first: I suspect the reason why the servlet spec doesn't let you programatically log in -- it would be placing auth control somewhere the spec wrter's don't trust, in the hand's of people writing webapps. Pass-though auth is usually used when you need trusted authorization to an untrusted system. Oops.
"It's possible NIO Channels would be a more efficient" -- ROFL. It is possible, also, that the sum of two and two is four.
Sorry for griping, it is just there were two things that the EG said
they'd address which I really wanted to see addressed. Those
were them. Both were punted on. Instead we got annotations and
syntax sugar in web.xml. Syntax sugar ... in ... xml.