[cddlm] Import resolution in CDL

[Steve Loughran]

I am looking at relative import resolution. That is, if a document came 
from somewhere, then relative paths to resolve things are allowed.

Who has implemented this already?

Its an interesting feature of the specs is that we have left resolution 
undefined; import takes a string.

Right now all I implement is the SmartFrog policy
  -all paths resolve to resources that must be loadable from the classpath
  -in secure mode, all .sf documents must be in signed jar files.

If we allow arbitrary URLs to be resolved then

-URLs must be resolved with the rights of the user doing the deployment. 
I must not be able to read .cdl docs to which I lack the granted rights.

-We are going to need a way to secure deployment descriptors so that I 
dont download and deploy a subverted document.

-Imagine I upload a set of cdl files using AddFile, and get back URLs to 
each of them. How can I put the URL to them into the CDL descriptor for 
importing? In the current HP resource-only-implementation, life is 
simpler as I require all the descriptors to go up as JAR files, then 
take a property to declare the extra set of jars to add to the 
classpath. But this will not interop with other apps.

I will file this as an issue on the GGF trackers.