Hi!
I found this question in Sun's free example exam:
Given these deployment descriptor elements:
security-constraint
login-config
security-role
What requires these elements during configuration?
And the answer is:
A. authorization of Web Services
Option A is correct because configuring the authorization of Web Services requires the deployment descriptor elements: security-constraint, login-config, and security-role.
And I fonud also this question from JWepPlus:
What are the following deployment descriptor elements used for?
<login-config>
<security-constraint>
<security-role>
And de answer is:
Authentication and Authorization
<login-config> does the authentication. By validating the username/password, it makes sure that the user is what he/she claims to be.
<security-constraint> and <security-role> both are needed to perform authorization.
I am confused again. Can some body explain me, please.
Thank you in advance.

Authentication is a login issue. Is this user allowed to use the application. Once you are in the application, it is possible that you have some restricted areas. Like you only want "admin" to see/change other people's passwd.
Here comes autherization. With this feature, you associate rules and roles to the username. Hence, based on the username (the user), you decide if its an "admin" privilaged account or not. If it is, then you allow access to the "Admin" portion of your software.
Hope this help.
- madhav