In MZ's notes, chapter 3, it says "EJB container does not perform authentication." and "JAX-RS runtime environment checks for annotated constraints after the web container runtime has checked for security constraints that are configure in web.xml file."
But in Ivan's notes chapter 8, when a JAX-WS service is deployed as a
EJB based web service, the developer must have sun-ejb-jar.xml to define authentication method like this:
We can even define <method-permission>in ejb-jar.xml too.
My question is:
Security constraints are defined in ejb-jar.xml file instead of web.xml file when aJAX-WS EJB web service is deployed.
But when servlet based or EJB based JAX-RS is deployed, it uses web.xml to check for security constraints, not ejb-jar.xml. Why?
Here is the summary of what I read from the J2EE tutorial and MZ and Ivan's exam guides:
1. JAX-WS servlet based web service needs web.xml file to define security constraints (which authentication method, which role to POST request, login config (Basic, form, client cert or digest) and sun-web.xml to define security role mappings (which authorized user is mapped to which role).
2. JAX-WS EJB based web service needs ejb-jar.xml file to define method permissions (which method can be accessed by which role) and sun-ejb-jar.xml to define security constraints (which authentication method and whether SSL is used).
3. JAX-RS (servlet based or EJB based) needs web.xml to define the same security constraints using web.xml and sun-web.xml since only the web container performs authentication, not the EJB container perform authentication. JAX-RS checks for the constraints from web.xml file only.
*One more point : sun-web.xml is a metro specific file. If it is for Glassfish, it should be named glassfish-web.xml.
Any comments? I hope this summary can help other people to memorize which deployment descriptor is for which type of which type of web service.