<html><head><meta http-equiv="content-type" content="text/html; charset=utf-8"></head><body dir="auto"><div>Not sure who's seen this yet. </div><div><br></div><div>Begin forwarded message:<br><br></div><blockquote type="cite"><div><b>From:</b> Bill Shannon <<a href="mailto:bill.shannon@oracle.com">bill.shannon@oracle.com</a>><br><b>Date:</b> November 16, 2012, 17:18:12 MST<br><b>To:</b> <a href="mailto:jsr342-experts@javaee-spec.java.net">jsr342-experts@javaee-spec.java.net</a><br><b>Subject:</b> <b>[javaee-spec users] [jsr342-experts] security permissions for libraries</b><br><b>Reply-To:</b> <a href="mailto:jsr342-experts@javaee-spec.java.net">jsr342-experts@javaee-spec.java.net</a><br><br></div></blockquote><blockquote type="cite"><div><span>As described in this document:</span><br><span><a href="http://java.net/projects/javaee-spec/downloads/download/ee-sec-mgr-00-ljm.pdf">http://java.net/projects/javaee-spec/downloads/download/ee-sec-mgr-00-ljm.pdf</a></span><br><span>we plan to add the ability to include a permissions.xml file with an</span><br><span>application to control what security permissions the application gets.</span><br><span></span><br><span>Our intent was to support this only at the module level, e.g., only for a</span><br><span>war file, ejb-jar file, or app client jar file. This raises a question</span><br><span>I'd like your opinion on...</span><br><span></span><br><span>What permissions should apply to libraries in the "lib" directory of an</span><br><span>ear file?</span><br><span></span><br><span>Ultimately we'd like to allow each such library to include a permissions.xml</span><br><span>file of its own, but even then we need to decide what permissions should</span><br><span>apply if the library doesn't include a permissions.xml file.</span><br><span></span><br><span>Remember that libraries are available to all modules of the application.</span><br><span></span><br><span>There seem to be a few options:</span><br><span></span><br><span>1. The permissions for the library are the same as the permissions for</span><br><span> the code that calls the library. If the library code is called from</span><br><span> a war file, it gets the permissions of the war file. If the same</span><br><span> library is called from an ejb-jar file, it gets the permissions of</span><br><span> the ejb-jar file.</span><br><span></span><br><span>2. The permissions for the library are the default permissions for the</span><br><span> container calling the library. As above, the permissions would vary</span><br><span> based on what code calls the library, but would always be the default</span><br><span> permissions for that container, even though the calling code might</span><br><span> have more or fewer permissions than the default. (It's not clear to</span><br><span> me that this is implementable.)</span><br><span></span><br><span>3. We allow a permissions.xml file to be included in the "lib" directory.</span><br><span> All the libraries in the "lib" directory get these permissions, no</span><br><span> matter which container is calling them.</span><br><span></span><br><span>Note that in addition to libraries in the "lib" directory of an ear file,</span><br><span>modules can use a Class-Path entry to reference other libraries anywhere</span><br><span>in the ear file. I think #1 above is the only viable choice for this</span><br><span>case.</span><br><span></span><br><span>Again, in a future release we hope to support a permissions.xml file in</span><br><span>the library jar file itself.</span><br><span></span><br><span>How do you think we should handle security permissions for libraries in</span><br><span>this release?</span><br></div></blockquote></body></html>