Re: doubt about the web.xml
>The @RolesAllowed annotation is not defined by JSR 375 and there was sadly not enough time to better integrate with it or provide a better alternative.
Indeed, we should really address this for JSR 375.Next
>For now, @RolesAllowed are only portable on EJB components, although some servers such as Payara support them on any CDI bean AFAIK.
We have a duo solution in place. @RolesAllowed is by default supported on any JAX-RS resource, and is "http facing", means that if the user is not authenticated it triggers the configured authentication mechanism.
For business beans we have an annotation in the Payara API called RolesPermitted (https://github.com/payara/Payara/blob/master/api/payara-api/src/main/java/fish/payara/cdi/auth/roles/RolesPermitted.java#L64) That one is backed by a regular CDI interceptor.
For JSR 375.Next we should probably have a combination of these two.