Security
Multiuser applications are likely to expose a wide variety of operations, and not all callers are created equal. An unsecured banking system won’t discriminate between a teller and a branch manager when confronted with a request to approve a loan, and manually baking this logic into the business method mixes two concerns. EJB therefore provides a role-based security mechanism that bolsters existing application code with a set of security policies governed by the Container (Figure 3-4).

Figure 3-4. EJB Security permitting access based upon the caller’s role
This allows the application developer to explicitly allow or deny access at a fine-grained level based upon the caller’s identity.
We’ll delve into the security model in Chapter 15.