the fixes are rather straight forward, and should be derivable by comparing the v2 and v3 source of the 4 classes named below:
1. the HttpServletRequest based constructors of WebResourcePermission and WebUserDataPermission were revised to encode colon characters occurring in the url pattern acquired from the request argument. ":" ==> "%3x"
2. A similar change was made in WebPermissionUtil. WebPermissionUtil translates security constraints defined via web.xml or by annotation for provisioning of the policy subsystem. The transalation was revised to ensure that colons appearing in constrained patterns are encoded as "%3x" before being used in policy configuratiion.
3. A similar change was made to the enforcement point in WebSecurityManager.java. The enforcement point uses the string based permission constructors, so colons appearing in the pattern extracted from the HttpServletRequest are encoded prior to constructing the permission to be checked.
If you have a support contract you could follow that path to obtain more details of the fix.
[Message sent by forum member 'monzillo' (ronald.monzillo_at_sun.com)]
http://forums.java.net/jive/thread.jspa?messageID=381806