When developing a Web service(Hospital Management System) using Java EE, is it necessary that for each Web Service call, it has to be checked that the user is logged in??

Which authentication method is the best JAAS, WS-Security, SAML, or a combination or using own tokens??

It all depends on how is your web service implemented/or its going to be. If you still have a choice I would recommend going with REST approach, authenticate the user with some kind of login functionality and then maintain users session.

You can use filters.

Here's an example of how to use filters:

http://viralpatel.net/blogs/2009/01/tutorial-java-servlet-filter-example-using-eclipse-apache-tomcat.html

Basically you define the url's where you want the filters to apply, the filter authorizes the user and then calls chain.doFilter(request, response); to call the requested method after authorization.

You can also take a look at this jax-rs rest webservice authentication and authorization

Personally, I use tokens for authorization.