EJB security is determined either by the declarative entries added to the DD, the programmatic constraints coded into the EJBs, or a combination of both.
Ideally, EJB security should only use the declarative approach, but where declarative security cannot represent the application's requirements, security must be encoded in the EJB class. The programmatic security is less portable and may restrict the way an application assembler can combine beans from different sources.
Defining security for an EJB involves
Defining one or more roles to control access to different areas of your application
Restricting access to EJBs and EJB methods according to the clients roles
Mapping roles onto principals in the authentication ...