Hi.,
The Realm Settings in the Descriptors are not inherited by the WebServices SOAP Layer Security. This is primarly because the <realm> configuration elements appear under Java EE 5 specified authentication methods (web and ejb) and not inherited by webservices.
Thanks for reporting this. It may be possible in this specific case where the realm is specified in sun-application.xml (let me see if we can fix this as a bug).
As for sepcifying constraints based on the servlet path in web.xml you are right about the chicken and egg problem. This is because there is really a need for a separate way of specifying Role based access for webservice operations. Java EE 6 would be addressing these issues.
You should see solutions to these problems in the coming year.
Thanks.
[Message sent by forum member 'kumarjayanti' (kumarjayanti)]
http://forums.java.net/jive/thread.jspa?messageID=243761