[javaee-spec users] Re: Position on SecurityManager/Policy SE APIs

From: Ron Monzillo <>
Date: Wed, 21 Aug 2013 12:45:35 -0400

On 8/21/13 11:31 AM, Raymond Auge wrote:
> Hello everyone,
> My name is Raymond Auge and this is my first email to the list.
> Hopefully I follow proper protocol. Please let me know if I have not.
> -----
> Sorry, my question may seem odd.
> I would like to get an official position statement on the handling of
> the SecurityManager/Policy APIs with respect to Java EE?
> I suppose I am asking:
> "Is it OK for Java EE specifications/implementations to make
> assumptions about the state of the SecurityManager/Policy without
> respecting changes in their runtime state?"
If you think there is an issue with the specifications, it would help if
you could provide a reference to the
specification content.

that said, a perhaps overly simplistic answer to your question, is that
EE 7 requires that every EE product be able to run with a security
manager enabled. So for example, it would not be appropriate for an
implementation to assume that a security manager will not (or at least
never) be enabled. For prior releases of EE, one might conclude otherwise.

Regarding the runtime or installation specific state of access control
Policy (as enforced by the Policy system) there is an expectation that
the Policy implementation enforce the policy as configured for the
installation, with the additional requirement that every EE product
provide a means for applications to be granted some specific permissions
identified in the EE specification.

EE 7 also added a new facility by which applications may declare the
permissions that they require.

I'll stop there for now,

> *Raymond Augé* 
> <> (@rotty3000)
> Senior Software Architect
> *Liferay, Inc.* <> (@Liferay)