Marco,
Please see my reply to your other recent post, as in it I demonstrate how I was able to inject a WebServiceContext in an endpoint, and to obtain from it the user identity as established by the servlet layer authentication mechanism. That should address the 3rd issue you raised on this thread.
I repackaged the web module (I described in the other post) into an EAR, and within the associated sun-application.xml, I bound an application specific user repository/realm to the application. I had first used the admin-console to create a new file realm, and then I bound that realm to the app as described above. I deployed the resulting EAR, used the client as before, and demonstrated that the servlet layer authentication was performed against the new realm.
I have not tried this with a custom JDBC realm, but I will do so, after I send this msg. I did notice some problems until I properly configured the second realm, but I am not otherwise able to duplicate the 1st issue you raised on this thread.
Regarding the 2nd issue you raised, you are correct that there is no way within a WAR to declare the user repository/realm that is utilized by the WAR. We are taking steps to correct that.
At the current time, you must package a web module in an EAR, in order to customize its realm.
Is that acceptable to you, assuming we can help you get the configuration right?
As I think you concluded, the realm specification in web.xml defines the content of WWW-Authenticate challenges.
It is possible that what I tested did not match what you are trying to do, and moreover we want to make sure that we can figure out why you encountered these issues, so if you can provide any more info, I'll check it out, and let you know what I find.
BTW, the glassfish servlet container implements the servlet profile of JSR 196; which means that you can inject a message layer authentication module in the servlet container, which will allow you to completely manage the http layer authentication dialog (whereas the realm only allows you to manage the password validation). If you have an interest in writing and configuring a Server Auth Module in Glassfish, I can show you how to do that.
Ron
[Message sent by forum member 'monzillo' (monzillo)]
http://forums.java.net/jive/thread.jspa?messageID=244780