In MZ's notes, chapter 3, it says "EJB container does not perform authentication." and "JAX-RS runtime environment checks for annotated constraints after the web container runtime has checked for security constraints that are configure in web.xml file."
But in Ivan's notes chapter 8, when a JAX-WS service is deployed as a EJB based web service, the developer must have sun-ejb-jar.xml to define authentication method like this:
We can even define <method-permission>in ejb-jar.xml too.
My question is:
Security constraints are defined in ejb-jar.xml file instead of web.xml file when aJAX-WS EJB web service is deployed.
But when servlet based or EJB based JAX-RS is deployed, it uses web.xml to check for security constraints, not ejb-jar.xml. Why?
Here is the summary of what I read from the J2EE tutorial and MZ and Ivan's exam guides:
1. JAX-WS servlet based web service needs web.xml file to define security constraints (which authentication method, which role to POST request, login config (Basic, form, client cert or digest) and sun-web.xml to define security role mappings (which authorized user is mapped to which role).
2. JAX-WS EJB based web service needs ejb-jar.xml file to define method permissions (which method can be accessed by which role) and sun-ejb-jar.xml to define security constraints (which authentication method and whether SSL is used).
3. JAX-RS (servlet based or EJB based) needs web.xml to define the same security constraints using web.xml and sun-web.xml since only the web container performs authentication, not the EJB container perform authentication. JAX-RS checks for the constraints from web.xml file only.
*One more point : sun-web.xml is a metro specific file. If it is for Glassfish, it should be named glassfish-web.xml.
Any comments? I hope this summary can help other people to memorize which deployment descriptor is for which type of which type of web service.
Chapter 4.8.3 Enterprise Java Beans
"Stateless and Singleton Session beans can be used as Jersey root resource classes..... JAX-RS specifications requires its implementations to discover EJBs by inspecting annotations on classes , but no in the deployment descriptor (ejb-jar.xml). As such to keep your JAX-RS application portalbe, do not override EJB annotations or provide any additional meta-data in the deployment descriptor file."
"Please note that Jersey does not support deployment of JAX-RS applications packaged as standalone EJB modules (ejb-jars). To use EJBs as JAX-RS resources, the EJBs need to be packaged either directly in a WAR or EAR."
So, with Jersey, we should not use any ejb-jar.xml.
No matter the web service is JAX-RS or JAX-WS deployed as either EJB component or servlet component, the EJB container does not do any authentication. Only the web container does the authentication.