Changes made throughout the Document

• Changed the version of the specification from 1.2 to 1.3.

Changes to Policy Configuration Contract

Translating Security Constraints:

• In Section 3.1.3.1, “Translating security-constraint Elements”, clarified the description of the HTTP methods to which a constraint applies to accommodate the introduction, by Servlet 3.0, of http-method-omission elements. Servlet 3.0 defines the http-method-omission element to support the use of the @RolesAllowed, @PermitAll, @DenyALL, and @TransportProtected annotations.

• Added a new minor subsection called, “Combining Http Methods”, to establish the rules for determining to which HTTP methods a constraint applies. The rules were defined to include support for http-method-omission lists, and such that they are backward compatible with applications that employs a prior version deployment descriptor schema (that does not support http-method-omission elements).

Security Constraint Translation Example:

• In Section 3.1.3.4, “Example”, modified the excluding auth-constraint to demonstrate the use of an http-method-omission list. Also changed TABLE 3-5 (which contains the result of the translation) to reflect the change to the auth-constraint.

EJB Security Role Ref Translation:

• . Added a footnote to Section 3.1.5.3, “Translating EJB security-role-ref Elements”, to clarify, by example, the requirement to create additional EJBRoleRefPermission objects to support optional declaration of security-role-ref elements.