permaculture playing cards
The moose likes Web Services Certification (SCDJWS/OCEJWSD) and the fly likes EJB container /web container and authentication Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login
JavaRanch » Java Forums » Certification » Web Services Certification (SCDJWS/OCEJWSD)
Bookmark "EJB container /web container and authentication" Watch "EJB container /web container and authentication" New topic

EJB container /web container and authentication

Himai Minh
Ranch Hand

Joined: Jul 29, 2012
Posts: 1120
In MZ's notes, chapter 3, it says "EJB container does not perform authentication." and "JAX-RS runtime environment checks for annotated constraints after the web container runtime has checked for security constraints that are configure in web.xml file."

But in Ivan's notes chapter 8, when a JAX-WS service is deployed as a EJB based web service, the developer must have sun-ejb-jar.xml to define authentication method like this:

We can even define <method-permission>in ejb-jar.xml too.

My question is:
Security constraints are defined in ejb-jar.xml file instead of web.xml file when aJAX-WS EJB web service is deployed.
But when servlet based or EJB based JAX-RS is deployed, it uses web.xml to check for security constraints, not ejb-jar.xml. Why?

Here is the summary of what I read from the J2EE tutorial and MZ and Ivan's exam guides:
1. JAX-WS servlet based web service needs web.xml file to define security constraints (which authentication method, which role to POST request, login config (Basic, form, client cert or digest) and sun-web.xml to define security role mappings (which authorized user is mapped to which role).
2. JAX-WS EJB based web service needs ejb-jar.xml file to define method permissions (which method can be accessed by which role) and sun-ejb-jar.xml to define security constraints (which authentication method and whether SSL is used).
3. JAX-RS (servlet based or EJB based) needs web.xml to define the same security constraints using web.xml and sun-web.xml since only the web container performs authentication, not the EJB container perform authentication. JAX-RS checks for the constraints from web.xml file only.

*One more point : sun-web.xml is a metro specific file. If it is for Glassfish, it should be named glassfish-web.xml.

Any comments? I hope this summary can help other people to memorize which deployment descriptor is for which type of which type of web service.

Himai Minh
Ranch Hand

Joined: Jul 29, 2012
Posts: 1120
Let me answer my question:
From Jersey tutorial at,

Chapter 4.8.3 Enterprise Java Beans
"Stateless and Singleton Session beans can be used as Jersey root resource classes..... JAX-RS specifications requires its implementations to discover EJBs by inspecting annotations on classes , but no in the deployment descriptor (ejb-jar.xml). As such to keep your JAX-RS application portalbe, do not override EJB annotations or provide any additional meta-data in the deployment descriptor file."

"Please note that Jersey does not support deployment of JAX-RS applications packaged as standalone EJB modules (ejb-jars). To use EJBs as JAX-RS resources, the EJBs need to be packaged either directly in a WAR or EAR."

So, with Jersey, we should not use any ejb-jar.xml.

No matter the web service is JAX-RS or JAX-WS deployed as either EJB component or servlet component, the EJB container does not do any authentication. Only the web container does the authentication.
I agree. Here's the link:
subject: EJB container /web container and authentication
It's not a secret anymore!