For example, Enterprise JavaBeans components use an EJB deployment
descriptor, which must be named ejb-jar.xml and placed in the META-INF
folder of the EJB JAR file.
Web components use a web application deployment descriptor named web.xml ,
which is located in the WEB-INF directory.
Since the release of Java EE 5, you can apply declarative security by means of an-
notations just like we have for other key APIs (EJB, web services, and so on).
Annotations are specified within a class file, and when the application is de-
ployed, the application server translates this information internally.
• Programmatic security : This is embedded in an application and used to make
security decisions. It can be used when declarative security alone is not sufficient
to express the security model of an application. The Java EE security API allows
the developer to test whether or not the current user has access to a specific role,
using the following calls:
◦ isUserInRole() for servlets and JSPs (adopted in
◦ isCallerInRole() for EJBs (adopted in
Additionally, there are other API calls that provide access to the user's identity,
which are as follows:
◦ getUserPrincipal() for servlets and JSPs (adopted in
◦ getCallerPrincipal() for EJBs (adopted in
Using these APIs, you can develop arbitrarily complex authorization models.