Multiuser applications, in order to be secure, must respect that there are differences in user types. For instance, perhaps a system administrator should be given access to alter records hidden to typical users. Coding security logic inside our applications, however, mixes concerns and makes code less maintainable. EJB therefore provides as a service a role-based security model which is both declarative (via metadata) and programmatic (via an API).

In this example we model a school with strict policies about who can open the doors when. Here we showcase the use of @RolesAllowed, @DeclareRoles, @RunAs and @PermitAll.