Attributes of type ObjectList are left undefined when their enclosing element is empty, which makes it impossible to differentiate an empty object list from an unspecified one.
The ability to distinguish the two scenarios is important in the security manager subsystem. Consider this configuration:
The maximum-set is absent and this case we want to use a default set with AllPermission. Now consider another configuration:
In this case, maximum-set has been specified but it is empty, which means the admin/user deliberately wants to use an emtpy set, possibly to enforce that no deployments with special permissions requirements get deployed.
The problem is that both scenarios result in an undefined attribute for the maximum-set, which means that the default AllPermission set ends up being used in both cases. The parser doesn't initialize the attribute with an empty list when the enclosing element is present but is empty. So in the end, both approaches result in an undefined attribute.