JBOSS Security: web.xml vs. jboss-web.xml

What is the relation between web.xml and jboss-web.xml? Seems like:

• Jboss-web.xml
  • specifies the security domain (which can be found in login-config.xml)

• web.xml
  • specifies wha开发者_Go百科t the security level is

I don't understand what happens when jboss-web.xml specifies a weak security domain. Ie: one that cannot do what web.xml specifies. What happens then?

To answer your general question, web.xml is the standard J2EE configuration file and is server-agnostic and its configurations will work with any J2EE compliant application server.

jboss-web.xml are JBoss specific extensions and abilities that exist only in JBoss (that is, another application server from another vendor may do that function, but it configures it differently). login-config.xml is also jboss specific, which is why you need a vendor specific configuration to tie the war and the login together.

I don't know if it is possible to have a configuration problem other than the JBoss security being too lax, but if there is a serious misconfiguration, I would expect JBoss to throw an error on deployment and fail to deploy the war.