Maintenance Review 5 for JSR 115: Accepted Changes

Changes made throughout the Document

• Changed the version of the specification from 1.1 to 1.2.

Changes to Overview

Provider Compatibility:

In “Requirements” on page 6", clarified requirement 4 to indicate that a policy provider in a Servlet or EJB only container need only satisfy the requirements corresponding to the supported container.


Running without a SecurityManager:

Corrected bullet 3 of “Running Without a SecurityManager” on page 8", by removing prohibition on AccessControlContext.checkPermission.

Added new bullet 4 to “Running Without a SecurityManager” on page 8", to ensure that container sets AccessControlContext if it uses the AccessController.checkPermission technique.


Servlet Only Containers:

Added new section, “Servlet or EJB only containers” on page 9, to differentiate requirements that must be satisfied by web containers from those that must be satisfied by EJB containers.


Changes to Policy Configuration Contract

Translation Equivalence:

In Section 3.1, “What a Java EE Platform’s Deployment Tools Must Do”, modified the definition of equivalence to accept as equivalent a translation in which permissions that are implied by excluded permissions are removed from the role and unchecked permission collections. Limited the definition of equivalence to apply only to those permission types that are the subject of the translation. Added footnote to describe why equivalence cannot always be evaluated by PermissionCollection.implies().


Servlet Statement Removal:

In Section 3.1.3, “Translating Servlet Deployment Descriptors”, relaxed requirement that the value true be passed as the second argument to getPolicyConfiguration. Changed text to require that the policy statements be removed, and added footnotes to describe implementation choices.


EJB Statement Removal:

In Section 3.1.5, “Translating EJB Deployment Descriptors”, relaxed requirement that the value true be passed as the second argument to getPolicyConfiguration. Changed text to require that the policy statements be removed, and added footnotes to describe implementation choices.


Encoding colons in url-patterns:

Added a requirement to Section , “Qualified URL Pattern Names”, that the translation use escaped encoding to differentiate colons occurring within the Pattern and QualifyingPattern elements from those used to construct the QualifyingPatternList.


EJB Security Role Ref Translation:

Corrected determination of permission name in Section 3.1.5.3, “Translating EJB security-role-ref Elements”, such that the name is acquired from the ejb-name of the element containing the security-role-ref.

Added a new paragraph in Section 3.1.5.3, “Translating EJB security-role-ref Elements”, to describe the creation of additional EJBRoleRefPermission objects to support optional declaration of security-role-ref elements (as required by the EJB 3.0 specification).

Added a footnote to Section 3.1.5.3, “Translating EJB security-role-ref Elements”, to indicate that the requirements of this section apply to any elements that are permitted by the EJB deployment descriptor schema to contain security-role-ref elements. This was done in anticipation of support for inclusion of this element in the message-driven element.


Changes to Policy Decision and Enforcement Contract

Encoding colons in Checked Permissions:

In Section 4.1.1, “Permission Names for Transport and Pre-Dispatch Decisions”, added the requirement that all colon characters occurring within the name of the checked permission be represented using escaped encoding.


EJB Access Exception:

In Section 4.3.1, “EJB Pre-dispatch Decision”, corrected requirement that an RMISecurityException be thrown by requiring that the container throw an exception as required by the corresponding EJB Specification.


Policy Context Handler Behavior:

Added footnote to Section 4.6.1, “Policy Context Handlers” to make it explicit that the requirement that a handler return a null value when called outside of the context of an invocation, need not apply to any additional handlers registered with the container.

Modified the requirements of Section 4.6.1, “Policy Context Handlers” to allow containers to effectively delay registrations that would otherwise impede performance. As a result of the change, containers (especially EJB containers) may return null when, during the processing of a request, an attempt is made to invoke a required but not yet registered handler.


Checking AccessControlContext Independent Grants:

In Section 4.7, “Checking AccessControlContext Independent Grants”, corrected return result of AccessController.checkPermission when exception is not thrown.


getPolicy Method name:

In Section 4.11, “Policy Compatibility Requirements”, corrected the reference to the javax.security.auth.Policy.getPolicy method.


Changes to API


Handling of Colons by WebResourcePermission Constructors:

Added requirement that all colons occurring within the URLPattern elements of the name and URLPatternSpec arguments passed to the String based constructors of WebResoucePermission must be represented in escaped encoding.

Added requirement to the HttpServletRequest based constructor of WebResourcePermission that the constructor must transform all colon characters occurring in the name to escaped encoding.


Handling of Colons by WebUserDataPermission Constructors:

Added requirement that all colons occurring within the URLPattern elements of the name and URLPatternSpec arguments passed to the String based constructors of WebUserDataPermission must be represented in escaped encoding.

Added requirement to the HttpServletRequest based constructor of WebUserDataPermission that the constructor must transform all colon characters occurring in the name to escaped encoding.

Changes to Issues

Resolved Issues

Added recommended resolution to issue, Section B.21, “Welcome File and security-constraint Processing”.

Added resolution to issue, Section B.22, “Colons Within path-segment of Request URI”.