Presently as a servlet is deployed it can operate in one of two modes if an authentication constrain is specified but no roles actually listed.

• Permit - Do not require authentication and don't perform a roles check.
• Deny - Just restrict access, no roles to check against so performing authentication will not help.

For integration with other containers we need a third mode which mandates authentication but does not perform a roles check. An example of this is the JBossWS integration which requires HTTP authentication for the inbound request but does not require a roles check as that will be handled by the EJB container - in fact the EJB may even be annotated with @PermitAll meaning no roles are even checked there.