The component containers are responsible for providing Java EE application security. Two security forms are provided by the container: programmatic security and declarative security.
In programmatic security, a servlet uses method calls to the security API, as specified by the Java EE security model, to make business logic decisions based on the caller or remote user's security role. Programmatic security should only be used when declarative security alone is insufficient to meet the application's security model.
The Java EE 1.4 specification defines programmatic security with respect to servlets as consisting of two methods of the servlet HttpServletRequest interface. Web Server supports these interfaces as defined in the specification.
In addition to the programmatic security defined in the Java EE specifications, Web Server also supports programmatic login. For more information, see Programmatic Login
Declarative security means that the security mechanism for an application is declared and handled externally to the application. Deployment descriptors describe the Java EE application's security structure, including security roles, access control, and authentication requirements.
Web Server supports the DTDs specified by the Java EE 1.4 specification, and has additional security elements included in its own deployment descriptors. Declarative security is the application deployers responsibility.