Changes made throughout the Document
• Changed the version of the specification from 1.1 to
1.2.
Changes to Overview
Provider
Compatibility:
• In
“Requirements” on page 6", clarified requirement
4 to indicate that a policy provider in a Servlet or EJB only
container need only satisfy the requirements corresponding to the
supported container.
Running
without a SecurityManager:
• Corrected
bullet 3 of “Running Without a SecurityManager” on
page 8", by removing prohibition on
AccessControlContext.checkPermission.
• Added
new bullet 4 to “Running Without a SecurityManager” on
page 8", to ensure that container sets AccessControlContext
if it uses the AccessController.checkPermission technique.
Servlet
Only Containers:
• Added
new section, “Servlet or EJB only containers” on page
9, to differentiate requirements that must be satisfied by web
containers from those that must be satisfied by EJB containers.
Changes to Policy Configuration Contract
Translation
Equivalence:
• In
Section 3.1, “What a Java EE Platform’s Deployment
Tools Must Do”, modified the definition of equivalence to
accept as equivalent a translation in which permissions that are
implied by excluded permissions are removed from the role and
unchecked permission collections. Limited the definition of
equivalence to apply only to those permission types that are the
subject of the translation. Added footnote to describe why
equivalence cannot always be evaluated by
PermissionCollection.implies().
Servlet
Statement Removal:
• In
Section 3.1.3, “Translating Servlet Deployment Descriptors”,
relaxed requirement that the value true
be passed as the second argument to getPolicyConfiguration.
Changed text to require that the policy statements be removed, and
added footnotes to describe implementation choices.
EJB
Statement Removal:
• In
Section 3.1.5, “Translating EJB Deployment Descriptors”,
relaxed requirement that the value true
be passed as the second argument to getPolicyConfiguration.
Changed text to require that the policy statements be removed, and
added footnotes to describe implementation choices.
Encoding
colons in url-patterns:
• Added
a requirement to Section , “Qualified URL Pattern Names”,
that the translation use escaped encoding to differentiate colons
occurring within the Pattern and QualifyingPattern elements from
those used to construct the QualifyingPatternList.
EJB
Security Role Ref Translation:
• Corrected
determination of permission name in Section 3.1.5.3, “Translating
EJB security-role-ref Elements”, such that the name is
acquired from the ejb-name of the element containing the
security-role-ref.
• Added
a new paragraph in Section 3.1.5.3, “Translating EJB
security-role-ref Elements”, to describe the creation of
additional EJBRoleRefPermission objects to support optional
declaration of security-role-ref elements (as required by the EJB
3.0 specification).
• Added
a footnote to Section 3.1.5.3, “Translating EJB
security-role-ref Elements”, to indicate that the
requirements of this section apply to any elements that are
permitted by the EJB deployment descriptor schema to contain
security-role-ref elements. This was done in anticipation of
support for inclusion of this element in the message-driven
element.
Changes to Policy Decision and Enforcement Contract
Encoding
colons in Checked Permissions:
• In
Section 4.1.1, “Permission Names for Transport and
Pre-Dispatch Decisions”, added the requirement that all
colon characters occurring within the name of the checked
permission be represented using escaped encoding.
EJB
Access Exception:
• In
Section 4.3.1, “EJB Pre-dispatch Decision”, corrected
requirement that an RMISecurityException be thrown by requiring
that the container throw an exception as required by the
corresponding EJB Specification.
Policy
Context Handler Behavior:
• Added
footnote to Section 4.6.1, “Policy Context Handlers”
to make it explicit that the requirement that a handler return a
null value when called outside of the context of an invocation,
need not apply to any additional handlers registered with the
container.
• Modified
the requirements of Section 4.6.1, “Policy Context Handlers”
to allow containers to effectively delay registrations that would
otherwise impede performance. As a result of the change,
containers (especially EJB containers) may return null when,
during the processing of a request, an attempt is made to invoke a
required but not yet registered handler.
Checking
AccessControlContext Independent Grants:
• In
Section 4.7, “Checking AccessControlContext Independent
Grants”, corrected return result of
AccessController.checkPermission when exception is not thrown.
getPolicy
Method name:
• In
Section 4.11, “Policy Compatibility Requirements”,
corrected the reference to the
javax.security.auth.Policy.getPolicy
method.
Changes to API
Handling
of Colons by WebResourcePermission Constructors:
• Added
requirement that all colons occurring within the URLPattern
elements of the name and URLPatternSpec arguments passed to the
String based constructors of WebResoucePermission must be
represented in escaped encoding.
• Added
requirement to the HttpServletRequest based constructor of
WebResourcePermission that the constructor must transform all
colon characters occurring in the name to escaped encoding.
Handling
of Colons by WebUserDataPermission Constructors:
• Added
requirement that all colons occurring within the URLPattern
elements of the name and URLPatternSpec arguments passed to the
String based constructors of WebUserDataPermission must be
represented in escaped encoding.
• Added
requirement to the HttpServletRequest based constructor of
WebUserDataPermission that the constructor must transform all
colon characters occurring in the name to escaped encoding.
Changes to Issues
Resolved
Issues
• Added
recommended resolution to issue, Section B.21, “Welcome File
and security-constraint Processing”.
• Added
resolution to issue, Section B.22, “Colons Within
path-segment of Request URI”.
|
