The application developer is responsible for the following:
Specifying application roles.
Defining role-based access restrictions for the application components (servlets and JSPs components).
If programmatic security is used, verifying the user roles and authorizing access to features based on these roles. (Programmatic security management is discouraged because it hard-codes the security login in the application instead of allowing the containers to manage it.)