For requests to models under the above protected models, where a user is not already authenticated, the application server's servlet container will itself force the request to perform a login before sending the request on to the original URL destination (if authenticated and authorized based on the specified role(s)).
The following example illustrates Login Configuration from a J2EE standard web.xml configuration file for use with the above security constraints.
The login.html page referenced must contain the following items that the Servlet Container's login handling code will look for:
For use of roles across multiple WARs in an EAR, roles can be defined in an EAR file's META-INF/application.xml
Parent topic: Overview: security methodologies