"EPractice Labs order management business logic is implemented in EJB components and running in www123testlab.com server. The license server located in www.epracticelabs.com access these components via RMI with container-managed security. Customer role can access processLicense method and admin role can access delete/update business method. The technical team wants to use these business services in PHP and ASP web applications."
Which container-managed web service security mechanism would the technical team use to allow PHP and ASP web service clients to use the current security model?"
A. annotations mapped to JAX-WS runtime
B. HTTP basic authentication
C. XML digital signature
The given answer is A. EPractice Lab explains " annotations play a critical role in JAX-WS. First, annotations are used in mapping Java to WSDL and schema. Second, annotations are used a runtime to control how to the JAX-WS runtime processes and responds to web service invocations."
I think the answer should be A and B.
I think the service should annotated the methods with @RolesAllowed like this :
In sun-ejb-jar.xml, basic authentication can be specified:
The reason why we still need this sun-ejb-jar.xml file to specify authentication method because the web container should authenticate the users first before the EJB container authorizes the users (eg authorizes John Smith who is a customer to access the processLicense() method.)
subject: authentication is needed for access control