• Post Reply Bookmark Topic Watch Topic
  • New Topic
programming forums Java Mobile Certification Databases Caching Books Engineering Micro Controllers OS Languages Paradigms IDEs Build Tools Frameworks Application Servers Open Source This Site Careers Other all forums
this forum made possible by our volunteer staff, including ...
  • Campbell Ritchie
  • Bear Bibeault
  • Ron McLeod
  • Jeanne Boyarsky
  • Paul Clapham
  • Tim Cooke
  • Liutauras Vilda
  • Junilu Lacar
Saloon Keepers:
  • Tim Moores
  • Stephan van Hulst
  • Tim Holloway
  • fred rosenberger
  • salvin francis
  • Piet Souris
  • Frits Walraven
  • Carey Brown

EJB container /web container and authentication

Ranch Foreman
Posts: 1924
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
In MZ's notes, chapter 3, it says "EJB container does not perform authentication." and "JAX-RS runtime environment checks for annotated constraints after the web container runtime has checked for security constraints that are configure in web.xml file."

But in Ivan's notes chapter 8, when a JAX-WS service is deployed as a EJB based web service, the developer must have sun-ejb-jar.xml to define authentication method like this:

We can even define <method-permission>in ejb-jar.xml too.

My question is:
Security constraints are defined in ejb-jar.xml file instead of web.xml file when aJAX-WS EJB web service is deployed.
But when servlet based or EJB based JAX-RS is deployed, it uses web.xml to check for security constraints, not ejb-jar.xml. Why?

Here is the summary of what I read from the J2EE tutorial and MZ and Ivan's exam guides:
1. JAX-WS servlet based web service needs web.xml file to define security constraints (which authentication method, which role to POST request, login config (Basic, form, client cert or digest) and sun-web.xml to define security role mappings (which authorized user is mapped to which role).
2. JAX-WS EJB based web service needs ejb-jar.xml file to define method permissions (which method can be accessed by which role) and sun-ejb-jar.xml to define security constraints (which authentication method and whether SSL is used).
3. JAX-RS (servlet based or EJB based) needs web.xml to define the same security constraints using web.xml and sun-web.xml since only the web container performs authentication, not the EJB container perform authentication. JAX-RS checks for the constraints from web.xml file only.

*One more point : sun-web.xml is a metro specific file. If it is for Glassfish, it should be named glassfish-web.xml.

Any comments? I hope this summary can help other people to memorize which deployment descriptor is for which type of which type of web service.

Himai Minh
Ranch Foreman
Posts: 1924
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Let me answer my question:
From Jersey tutorial at https://jersey.java.net/documentation/latest/deployment.html#deployment.javaee.ejb,

Chapter 4.8.3 Enterprise Java Beans
"Stateless and Singleton Session beans can be used as Jersey root resource classes..... JAX-RS specifications requires its implementations to discover EJBs by inspecting annotations on classes , but no in the deployment descriptor (ejb-jar.xml). As such to keep your JAX-RS application portalbe, do not override EJB annotations or provide any additional meta-data in the deployment descriptor file."

"Please note that Jersey does not support deployment of JAX-RS applications packaged as standalone EJB modules (ejb-jars). To use EJBs as JAX-RS resources, the EJBs need to be packaged either directly in a WAR or EAR."

So, with Jersey, we should not use any ejb-jar.xml.

No matter the web service is JAX-RS or JAX-WS deployed as either EJB component or servlet component, the EJB container does not do any authentication. Only the web container does the authentication.
Mo-om! You're embarassing me! Can you just read a tiny ad like a normal person?
Building a Better World in your Backyard by Paul Wheaton and Shawn Klassen-Koop
    Bookmark Topic Watch Topic
  • New Topic