11.3 Container contract
The container contract of the JACC Specification specifies how the container creates the permission objects during access checks and calls the provider with appropriate information to help make the access decision. When a resource is being accessed, the container is expected to create the appropriate permission object and call the provider's Policy.implies method. The container is also expected to register what are called the policy context handler objects that contain additional information to make the access decision. The following handlers are required to be registered by the containers. The container contract defines the following components:
Policy Enforcement by Servlet Containers which includes the Evaluation of Transport Guarantees, Pre-dispatch Decision and Application Embedded Privilege Test.
Provider Support for Servlet Policy Enforcement which includes Servlet Policy Decision Semantics, Matching Qualified URL Pattern Names, WebResourcePermission Matching Rules, WebRoleRefPermission Matching Rules and WebUserDataPermission Matching Rules.
Policy Enforcement by EJB Containers which includes the EJB Pre-dispatch Decision and EJB Application Embedded Privilege Test.
Provider Support for EJB Policy Enforcement which includes EJB Policy Decision Semantics, EJBMethodPermission Matching Rules and EJBRoleRefPermission Matching Rules.
Component runAs Identity
Setting the Policy Context
Checking AccessControlContext Independent Grants
Checking the Caller for a Permission
Missing Policy Contexts
Default Policy Context
Policy Compatibility Requirements
Optimization of Permission Evaluations