Change Log for JSR-000115 Java^TM Authorization Contract for Containers

This page details the proposed, accepted and deferred changes to JSR 115, documenting the changes that will go into the next revision, per Section 4.2 of the JCP 2.6 document.

The review period for the proposed changes will be 30 days.

Last updated: 8 August 2005

PROPOSED CHANGES

Changes made Throughout the Document • Changed the "J2EE" and "J2SE" platform names (when NOT used with a specific version such as J2EE 1.4) to "Java EE" and "Java SE" respectively. • Changed improper uses of "affect" to "effect". Changes to Overview • Page 5: Clarified assumptions 1 and 3 to indicate that contract is intended to apply and be required by future versions of the Java EE platform. Changes to Provider Configuration Contract • Pages 9-15:  Generalized the J2EE 1.4 version specific requirements such that they also apply to later versions of the EE platform. Changes to Policy Configuration Contract Pages17-18: • Extended the chapter abstract to indicate that the subcontract applies to the configuration of policy providers from authorization rules defined within Java code using common annotations. • In “What a Java EE Platform’s Deployment Tools Must Do”, described the deployment tool requirements relating to annotation processing, and the merging of annotations into the deployment descriptor such that the translation may occur using the deployment descriptor translation rules. • Page 21:  In “Servlet Policy Context Identifiers”, described why each module of a multi-module web application must be deployed to a separate policy context. • Page 26:  In “Translating Servlet security-role-ref Elements”, clarified that the set of all roles defined for the application is used to determine the additional permissions to be constructed. • Page 31:  In “EJB Policy Context Identifiers”, added rule to ensure that no two EJBs in a policy context share the same ejb-name. If this rule is not observed the policy statements for the EJBs would be inappropriately combined. Changes to Policy Decision and Enforcement Contract Pages 37-39: •  Inserted new section “Permission Names for Transport and Pre-Dispatch Decisions”, to call attention to the description of how the corresponding permissions names are constructed, especially as necessary to account for the welcome file processing defined by the Servlet specification. Without this clarification, the URI's used in policy enforcement would be different from those used to determine the target resource, and as such, could serve as unprotected aliases for seemingly unrelated and possibly protected request URIs. •Revised sections “Evaluation of Transport Guarantees” and “Pre-dispatch Decision" to refer to the new section for the definition of their respective permission names. • Added new sentence the description of the “EnterpriseBean Policy Context Handler” to account for EJB 3.0 Session and Entity beans which are not required to implement the javax.ejb.EnterpriseBean interface. Changes to API • Page 69: Clarified the description of the PolicyConfiguration.commit() method to indicate that it also throws an UnsupportedOperationException when completing the commit would cause there to be two or more inService and linked policy contexts with different principal-to-role mappings. • Page 84: Added a sentence to the description of the HttpServletRequest based constructor of the WebResourcePermission to indicate that no (additional) processing (such as welcome file processing), other than that described in the permission constructors, must be required to transform the request URI into the permission name. • Page 92: Added the same sentence to the description of the HttpServletRequest based constructor of the WebUserDataPermission.

ACCEPTED CHANGES

The changes documented on this page resolve issues raised by reviewers and implementors of the current specification (dated November 24, 2003) and have been presented, discussed, and resolved on the JSR 115 Expert Group mailing list. Each of the proposed changes are described with respect to a page in the current specification and include a hyperlink to a representation of the page (with change bars) that would result from applying the changes to the page. To Policy Configuration Subcontract: • Page 24: added requirement to “Translating Servlet security-role-ref Elements" for extra WebRoleRefePermission objects to be created to support calls to isUserInRole from unmapped JSPs. To Policy Enforcement Subcontract: • Page 37: added requirement to “Application Embedded Privilege Test" to support calling isUserInRole from an unmapped (to servlet) web resource. • page 47: added footnote to “Checking the Caller for a Permission" to act as a forward reference to optimization by reuse of unauthenticated results as allowed for by new text added to “Optimization of Permission Evaluations". This optimization allows a container to optimize authorization checks on unprotected resources. • Page 50: added new clarifying text to “Optimization of Permission Evaluations" to support performance optimization based on reuse of evaluation results. In addition to reuse of equivalent evaluations, added text to support reuse of unauthenticated evaluations to authorize evaluations independent of caller identity. Described a common practice that could be implemented by containers and providers, and that would cause containers to be notified by providers of policy changes. By following the suggested practice providers would be able to tell when containers expect to be notified, for containers to determine if they will be notified, and for containers to determine if their provider has other properties necessary to sustain reuse. To API: • Page 87: Clarified Description of WebRoleRefPermission class. • Page 88: Modified description of name parameter of WebRoleRefPermission constructor to describe use of empty-string name. To Appendix B: Issues: • Page 105: removed sentence from description of resolution of issue B19, “Calling isUserInRole from JSP not mapped to a Servlet", that had indicated that the resolution would NOT be adopted until the Servlet spec was changed. As a result of this errata, the resolution to issue B19 has been fully integrated. J2EE 1.4 Platform Specification Errata Java Authorization Contract for Containers 1.0 Errata March 18, 2004 J2EE defines a security model and requirements that cover both access to the services and applications in a J2EE application server, as well as the security environment in which J2EE applications execute. The security environment is controlled by the Java security manager and the permissions granted to applications. The J2EE spec defines a set of security permissions that applications can expect. The spec also allows a vendor of a J2EE product, as well as users of the product, to control the exact set of permissions available to an application, either more or less than the minimum set, as long as it's possible to grant the application at least the minimum set. This has provided the operational flexibility that customers require to choose the appropriate security policy for their needs. J2EE 1.4 added the following requirement (section 6.2.1, page 88): To ensure the integrity of J2EE containers, all J2EE containers must install a security manager and must prevent applications from replacing or overriding the security manager. It has been pointed out that this requirement is in conflict with the intent of the J2EE spec to allow customers to choose the security policy for their needs. It's also in conflict with current practice which routinely allows applications to run with no security manager at all. In some environments the protections provided by a security manager are less important than the performance cost of using a security manager. Customers demand the ability to make these tradeoffs between protection and performance. The clear majority opinion of the J2EE 1.4 expert group was that the addition of this requirement was a mistake and should be removed. This errata corrects this conflict in the J2EE spec by removing the above quoted requirement. JSR-115 (Java Authorization Contract for Containers) has echoed this requirement in its specification. That specification must be corrected as well to eliminate this conflict. In particular, the following changes to the JSR-115 specification are required: Requirement #9 in section 1.4 is changed to: 9. For a container to support this contract, it must execute in an environment controlled by a J2SE SecurityManager. Containers may also execute in environments that are not controlled by a J2SE SecurityManager. Section 1.5, "Running Without a SecurityManager" defines changes to this contract that apply to containers running without a J2SE SecurityManager. Section 1.5 is added: 1.5 Running Without a SecurityManager The following list defines changes to this contract that apply to containers running without a J2SE SecurityManager. 1. The restrictions defined in Section 3.3, "Permission to Configure Policy" need not be enforced. Also, the containers of the application server must not be denied permission to perform any operation that would have been permitted in the presence of a SecurityManager. 2. Such containers are not required (before dispatching a call) to associate an AccessControlContext with the call thread (as otherwise required by Section 4.1.2, "Pre-dispatch Decision" and Section 4.3.1, "EJB Pre-dispatch Decision"). 3. When performing the operations defined in Section 4.7, "Checking AccessControlContext Independent Grants" and in Section 4.8, "Checking the Caller for a Permission", such containers must not employ the SecurityManager.checkPermission and AccessControlContext.checkPermission techniques defined in these sections. Changes to a specification after final release must always be done with the greatest care, even when correcting an error in the spec. The impact of the change on vendors and customers must be taken into account. In this case, the risk of this change appears relatively low. This change will not require any vendor to make any change to an existing product implementing this specification. It will not require any changes to the J2EE CTS. It is extremely unlikely that it will disrupt any existing customer applications. (It's possible, but unlikely, that an application could depend on a security manager always being installed, even though most existing products do not do so.) This change allows vendors to continue to deliver J2EE 1.4 products in the same way they have delivered J2EE 1.3 products, with optional use of a security manager. Vendors who prefer to enforce more rigorous security requirements will continue to be free to do so.

DEFERRED CHANGES