Today, you have looked at several aspects of J2EE security. You've studied basic security terminology, including the difference between authentication and authorization.
You have seen how the J2EE specification doesn't specify the authentication schemes that must be used but relies on a server to provide some form of authentication. The authenticated username is known as a J2EE principal.
J2EE authorization is based on roles defined for each EJB JAR or Web JAR in the application. Each authenticated principal can be mapped onto one or more roles.
J2EE uses declarative constraints to define authorization based on the roles defined in the application. Each method in an EJB can be authorized for all principals or a specific list of roles. ...