[javaee-spec users] [jsr342-experts] Re: security manager requirements in Java EE

From: Bill Shannon <>
Date: Fri, 16 Mar 2012 10:59:11 -0700

Markus Eisele wrote on 03/14/12 22:18:
> Hi Bill,
> thanks for the new proposal. Reads good. Even if I still have my
> reservations as expressed in the earlier mail.
> Here are some more thoughts and questions:
> 1) Why are we trying to put this into xml?
> What about this:
> <permission-grant-request>
> grant { permission "/temp/abc", "read", "write"; }
> </permission-grant-request>
> The policy file syntax is ugly but if we depend on this we shouldn't
> try to hide that fact too much.
> Or do you know more about how this is going to look like in the future?

My understanding is that the policy file syntax is not standardized
as part of Java SE, but rather is an implementation detail of the JDK.
Thus, to use it here, we would have to standardize it here, which seems

> 2) What about property expansion?
> Do we want/allow something like this:
> <permission-grant-request>
> grant { permission "${user.home}/temp/abc",
> "read", "write"; }
> </permission-grant-request>

Good question. We may need to consider that.

> 3) Last and simple one. If this is going to stay xml I would love to
> have short tag names and add a description to the set.
> <permissions> <grant-request> <description<classname<name<actions

I think it's just following the style of many existing elements
where the sub-elements have names that are qualified with the name
of the parent element. See for example <injection-target>.

Adding <description> seems fine, and by our current convention that
name would not be qualified.