In Java EE, component containers are responsible for providing application-layer security. Application-layer security provides security services for a specific application type tailored to the needs of the application. At the application layer, application firewalls can be employed to enhance application protection by protecting the communication stream and all associated application resources from attacks.
Java EE security is easy to implement and configure, and can offer fine-grained access control to application functions and data. However, as is inherent to security applied at the application layer, security properties are not transferable to applications running in other environments and only protect data while it is residing in the application environment. In the context of a traditional application, this is not necessarily a problem, but when applied to a web services application, where data often travels across several intermediaries, you would need to use the Java EE security mechanisms along with transport-layer security and message-layer security for a complete security solution.
The advantages of using application-layer security include the following:
Security is uniquely suited to the needs of the application.
Security is fine-grained, with application-specific settings.
The disadvantages of using application-layer security include the following:
The application is dependent on security attributes that are not transferable between application types.
Support for multiple protocols makes this type of security vulnerable.
Data is close to or contained within the point of vulnerability.
For more information on providing security at the application layer, read Securing Containers.