I implemented a web service as a session ejb. Some of the methods exposed by this web service require certain privileges. I modified my ejb-jar.xml file and declaratively specified this by using the element.

I have a Java client. If I pass credentials (e.g., name, password) into the constructor of the stub for the web service interface, the container properly recognizes this information, authenticates the user and either responds to or rejects the request based on if the user is permitted to call the method.

I have a non-Java client. If I try to do the same thing, it does not work. Peeking underneath the covers, I've discovered that the credentials are never being used.

Now I did get something to work. If I manually modify the web.xml for the web-services.war that is generated by servicegen to put a security constraint on the URL for the web service using the element, when I run the non-Java client again, the credentials *are* used, properly recognized, etc.

(1) Does anyone know why the security constraint is necessary for the non-Java client but not the Java client?

(2) Am I doing something wrong? missing something? Is there a different way to do this?

(3) Since I implemented the web service as a session EJB but it appears the generated web-services.war content needs to be manually modified, is there a way to generate this security constraint? I've tried various things and cannot seem to do this.

Thanks for feedback!