1) the WebBundleDescriptor is specific to Glassfish and not something I believe we can expect to standardize.
It will involve some parsing, but an alternative and portable approach (suggested by Jan) would be to use:
Thread.currentThread().getContextClassLoader().getResource("/WEB-INF/web.xml").
or
Thread.currentThread().getContextClassLoader().getResourceAsStream("/WEB-INF/web.xml").
to get access to the web.xml.
2) the sam is supposed to be called on every request; please see the details as spelled out in the servlet profile. The SAM will be initialized with a requestPolicy of isMandatory=false when the sam is being called for a request for which authentication is not required. This allows the SAM to manage sessions, and to ensure that all requests within a session are performed with the same user identity once authentication has occurred.
Ron
[Message sent by forum member 'monzillo' (monzillo)]
http://forums.java.net/jive/thread.jspa?messageID=302453