Unlike system security, which affects all the applications on Enterprise Server, Application security affects a particular application. There are basically two types of application security: programmatic and declarative.
In declarative security, Enterprise Server container handles security through an application's deployment descriptors. You can control declarative security by editing deployment descriptors directly. Because deployment descriptors can change after an application is developed, declarative security allows for more flexibility.
In programmatic security, application code handles security chores. Generally, programmatic security is discouraged since security configurations are hard coded in the application instead of being managed through the Java EE containers. Programmatic security is controlled by the application developer.
Information on application security is contained in the Chapter 4, Securing Applications, in Sun GlassFish Enterprise Server v3 Prelude Developer’s Guide.