This section details the additional security requirements of a Java EE technology compliant web container.
SRV.14.3.1 Propagation of Security Identity in EJBTM Calls
A security identity, or principal, must always be provided for use in a call to an enterprise bean. The default mode in calls to enterprise beans from web applications is for the security identity of a web user to be propagated to the EJB container.
In other scenarios, web containers are required to allow web users that are not known to the web container or to the EJBcontainer to make calls:
• Web containers are required to support access to web resources by clients that have not authenticated themselves to the container. This is the common mode of access to web resources on the Internet.
• Application code may be the sole processor of signon and customization of data based on caller identity.
In these scenarios, a web application deployment descriptor may specify a
run-as element. When it is specified, the container must propagate the security identity for any call from a servlet to the EJB layer in terms of the security role name defined in the run-as element. The security role name must be one of the security role names defined for the web application.
For web containers running as part of a Java EE platform, the use of run-as elements must be supported both for calls to EJB components within the same Java EE application, and for calls to EJB components deployed in other Java EE applications.
This section details the deployment descriptor, packaging and deployment descriptor processing requirements of a Java EE technology compliant container.
or part of a Java EE application server. They are not required to be supported by containers wishing to support only the servlet specification:
• Syntax for looking up JNDI objects (env-entry, ejb-ref, ejb-local-ref, re- source-ref, resource-env-ref)
• Syntax for specifying the message destination (message-destination, mes- sage-destination-ref)
• Reference to a Web service (service-ref)
The syntax for these elements is now held in the JavaServer Pages specification version 2.1, and the Java EE specification version 5.0.
SRV.14.4.2 Packaging and Deployment of JAX-WS Components
Web containers may choose to support running components written to implement a Web service endpoint as defined by the JAX-RPC and/or JAX-WS specifications. Web containers embedded in a JavaEE conformant implementation are required to support JAX-RPC and JAX-WS web service components. This section describes the packaging and deployment model for such JAX-RPC and JAX-WS Web component implementations.
JSR-109 [http://jcp.org/jsr/detail/109.jsp] defines the model for packaging a Web service interface with its associated WSDL description and associated classes. It defines a mechanism for JAX-WS and JAX-RPC enabled Web containers to link to a component that implements this Web service. A JAX- WS or JAX-RPC Web service implementation component uses the APIs defined by the JAX-WS and/or JAX-RPC specifications, which defines its contract with the JAX-WS and/or JAX-WS enabled Web containers. It is packaged into the WAR file. The Web service developer makes a declaration of this component using the usual <servlet> declaration.
JAX-WS and JAX-RPC enabled Web containers must support the developer in using the Web deployment descriptor to define the following information for the endpoint implementation component, using the same syntax as for HTTP Servlet components using the servlet element. The child elements are are used to specify endpoint information in the following way:
• the servlet-name element defines a logical name which may be used to lo-
cate this endpoint description among the other Web components in the WAR • the servlet-class element provides the fully qualified Java class name of
this endpoint implementation
• the description element(s) may be used to describe the component and
may be displayed in a tool
• the load-on-startup element specifies the order in which the component is
initialized relative to other Web components in the Web container
• the security-role-ref element may be used to test whether the authenticat- ed user is in a logical security role
• the run-as element may be used to override the identity propagated to EJBs
called by this component
Any servlet initialization parameters defined by the developer for this Web component may be ignored by the container. Additionally, the JAX-WS and JAX- RPC enabled Web component inherits the traditional Web component
mechanisms for defining the following information:
• mapping of the component to the Web container’s URL namespace using the servlet mapping technique
• authorization constraints on Web components using security constraints • the ability to use servlet filters to provide low-level byte stream support for
manipulating JAX-WS and/or JAX-RPC messages using the filter mapping technique
• the timeout characteristics of any HTTP sessions that are associated with the component
• links to Java EE objects stored in the JNDI namespace
SRV.14.4.3 Rules for Processing the Deployment Descriptor The containers and tools that are part of Java EE technology-compliant
implementation are required to validate the deployment descriptor against the XML schema for structural correctness. The validation is recommended, but not required for the web containers and tools that are not part of a Java EE technology compliant