The application deployer is responsible for:
Mapping users or groups (or both) to security roles.
Refining the privileges required to access component methods to suit the requirements of the specific deployment scenario.
An application deployer can use tools such as deploytool to edit application deployment descriptors. These security tasks are discussed in more detail in the Security chapter of The J2EE 1.4 Tutorial, which can be viewed at http://java.sun.com/j2ee/1.4/docs/tutorial/doc/index.html.