Can JAAS security domain info only be specified in server specific deployment descriptors?

Yes, there is. You'll need to specify the realm name in the web. Xml file, in a manner similar to the one shown below.

Yes, there is. You'll need to specify the realm name in the web. Xml file, in a manner similar to the one shown below: ... FORM myRealm /login.

Xhtml /login-error. Xhtml ... The above works in Glassfish without any entries in sun-web. Xml, except for the role to group mapping (that is used for enforcing authorization constraints).

Specifying the security-domain element in the JBoss deployment descriptor is a better approach when you have a web module and an EJB module that must use principals from only one Security Manager in JBoss (and the equivalent implementations in other containers). Given how JAAS login modules work and that one cannot specify a realm for authentication in ejb-jar. Xml, it is quite possible that the EJB container will permit a business method invocation based on successful authentication response from a different Login Module (than what you intended).

This would mean that a user in a different realm but the same group (mapped to the permitted role for the business method) is capable of invoking the business method. It is to avoid this scenario that one would specify the security domain in the vendor-specific deployment descriptor. Note - I'm unsure of the behavior of the container in choosing a JAAS Login Module for EJBs deployed in a WAR.

I cant really gove you an answer,but what I can give you is a way to a solution, that is you have to find the anglde that you relate to or peaks your interest. A good paper is one that people get drawn into because it reaches them ln some way.As for me WW11 to me, I think of the holocaust and the effect it had on the survivors, their families and those who stood by and did nothing until it was too late.