Changes made throughout the Document
Changed the version of the specification from 1.0 to 1.1.
Replaced Sun logo with Oracle Logo
Removed paragraph tags from PDF bookmarks
Updated
The License
Changes to Preface
Changed document Status
Added Names
of new contributors
Changes to Servlet Container Profile
As resolution for issue
JASPIC_SPEC-1,
in Section 3.2, "Application
Context Identifier", defined Standard ApContextID
generation.
In
Section 3.8
"Message Processing Requirements," and Section 3.8.3,
"Server Auth Processing," clarified that validate
request must
be called on every request for which the Servlet security model
applies. Also included footnote whose text describes that the
security model does not apply to forwards and includes.
As part of resolution for issue JASPIC_SPEC-7,
in
Section 3.8.3.1,
"validateRequest
Before Service Invocation," added clarification to
description of processing for SEND_CONTINUE, especially to allow
for forwards to a login page from within an authentication
module. Also clarified description of processing for SEND_FAILURE
to indicate that this return status is returned when the
validation failed and the client should not continue or retry the
request.
As presumptive resolution to issue JASPIC_SPEC-5,
added
footnote on header of Section 3.8.3.2,"validateRequest
After Service Invocation" to clarify that "after
the service invocation" effectively means after the call to
secureResponse, so as to remain distinct from the case where a
call to authenticate from within the application results in a
call to validateRequest during the service invocation.
As part of resolution for
JASPIC_SPEC-7,
added
Section 3.8.3.4, "Forwards
and Includes by Server Authentication Modules," to make
it clear that authentication modules must be able to use a
RequestDispatcher to forward to a login page (for example).
In
Section 3.8.4, "Setting
the Authentication Results on the HttpServletRequest,"
amended description to make this section suitable for describing
both the case where validateRequest is called prior to a request,
and the case where validateRequest is (presumably) being called
during the processing of the request.
As resolution for JASPIC_SPEC-3,
in
Section 3.8.4, "Setting
the Authentication Results on the HttpServletRequest,"
added Table 3-4 to define the name of the session registration
callback property. Also added description of the processing of
the property.
As resolution for issues JASPIC_SPEC-4
and JASPIC_SPEC-6,
added
Section 3.9, "Sub-profile
for authenticate, login, and logout of HttpServletRequest"
to define the use of the JASPIC SPI under
HttpServletRequest.authenticate, login, and logout.
Changes
to Appendix B, Issues
Changes
to Appendix D, API
As part
of resolution for JASPIC_SPEC-2
and JASPIC_SPEC-11,
in abstract "AuthConfigFactory" class, made public the
static permissions that are used to protect the static getFactory
and setFactory methods, and improved documentation so users of
the SPI can know which permissions are used. Also added an
additional public providerRegistrationSecurityPermission and
required that it be used by factory implementations to protect
methods like registerConfigProvider. Removed incorrect assertion
from javadoc of getFactory, both forms of registerConfigProvider,
and refresh, that checked AuthException could be thrown (by these
methods). Changed the javadoc of these four methods to indicate
that the conditions for which they were expected to throw an
AuthException should instead be handled within their existing
declarations of throwing an (unchecked) SecurityException.
Regenerated
(mif) javadocs (embedded in spec) from html javadocs, which
corrected definition for layer and appContext parameters of
getConfigProvider.
Javadoc,
patch
file
As
part of resolution for JASPIC_SPEC-2,
in "AuthConfigProvider" interface, removed incorrect
assertion from javadoc of refresh method that checked
AuthException could be thrown, and changed javadoc to indicate
that the conditions for which refresh was expected to throw an
AuthException should instead be handled within its existing
declaration of throwing an (unchecked) SecurityException.
Javadoc,
patch
file
As
part of resolution for JASPIC_SPEC-2,
in "AuthConfig" interfaces, made same changes as to
AuthConfigProvider interface. Javadoc,
patch
file
|
