The component containers are responsible for providing J2SE application security. Two security forms are provided by the container, as discussed below: programmatic security and declarative security.
Programmatic security is when a servlet uses method calls to the security API, as specified by the J2SE security model, to make business logic decisions based on the caller or remote user's security role. Programmatic security should only be used when declarative security alone is insufficient to meet the application's security model.
The J2SE 1.3 specification defines programmatic security with respect to servlets as consisting of two methods of the servlet HttpServletRequest interface. Sun Java System Web Server supports these interfaces as defined in the specification.
In addition to the programmatic security defined in the J2SE specifications, Sun Java System Web Server also supports programmatic login. For more information, see Programmatic Login.
Declarative security means that the security mechanism for an application is declared and handled external to the application. Deployment descriptors describe the J2SE application's security structure, including security roles, access control, and authentication requirements.
Sun Java System Web Server supports the DTDs specified by the J2SE 1.3 specification, and has additional security elements included in its own deployment descriptors. Declarative security is the application deployer's responsibility.