Change Log for JSR-000115 Java^TM Authorization Contract for Containers

This page details the proposed, accepted and deferred changes to JSR 115, documenting the changes that will go into the next (minor) revision, per Section 4.2 of the JCP 2.5 document.

The changes documented on this page resolve issues raised by reviewers and implementors of the current specification (dated November 24, 2003) and have been presented, discussed, and resolved on the JSR 115 Expert Group mailing list.

Each of the proposed changes are described with respect to a page in the current specification and include a hyperlink to a representation of the page (with change bars) that woukd result from applying the changes to the page.

The review period for the proposed changes will be 30 days.

Last updated: 23 January 2004

PROPOSED CHANGES

To Policy Configuration Subcontract: • Page 24: added requirement to “Translating Servlet security-role-ref Elements" for extra WebRoleRefePermission objects to be created to support calls to isUserInRole from unmapped JSPs. To Policy Enforcement Subcontract: • Page 37: added requirement to “Application Embedded Privilege Test" to support calling isUserInRole from an unmapped (to servlet) web resource. • page 47: added footnote to “Checking the Caller for a Permission" to act as a forward reference to optimization by reuse of unauthenticated results as allowed for by new text added to “Optimization of Permission Evaluations". This optimization allows a container to optimize authorization checks on unprotected resources. • Page 50: added new clarifying text to “Optimization of Permission Evaluations" to support performance optimization based on reuse of evaluation results. In addition to reuse of equivalent evaluations, added text to support reuse of unauthenticated evaluations to authorize evaluations independent of caller identity. Described a common practice that could be implemented by containers and providers, and that would cause containers to be notified by providers of policy changes. By following the suggested practice providers would be able to tell when containers expect to be notified, for containers to determine if they will be notified, and for containers to determine if their provider has other properties necessary to sustain reuse. To API: • Page 87: Clarified Description of WebRoleRefPermission class. • Page 88: Modifed description of name parameter of WebRoleRefPermission constructor to describe use of empty-string name. To Appendix B: Issues: • Page 105: removed sentence from description of resolution of issue B19, “Calling isUserInRole from JSP not mapped to a Servlet", that had indicated that the resolution would NOT be adopted until the Servlet spec was changed. As a result of this errata, the resolution to issue B19 has been fully integrated.

ACCEPTED CHANGES DEFERRED CHANGES