Thanks a lot for the update.
I'm glad, Ron is involved, so where access to identity providers and attributes so far discussed by the JSR 351 EG needs to be restricted or controlled, I assume there's going to be additional requirements for that, too.
Larry McCay, Ron Monzillo, and I have drafted updates to the platform
spec to describe the new security manager requirements we've previously
agreed on. It turned out to be surprisingly difficult to write these
requirements in a way that captures some of the subtlety involved.
Please review these updated spec sections carefully and ask questions
if you're not sure exactly what the requirements are.
The proposed spec updates are here, and will be folded into the draft
spec soon (obviously the numbering and such will be fixed at that point):
[javaee-spec users] [jsr342-experts] Re: spec changes for new security manager requirements