Programmatic security is when an EJB component or servlet uses method calls to the security API, as specified by the J2EE security model, to make business logic decisions based on the caller or remote user’s security role. Programmatic security should only be used when declarative security alone is insufficient to meet the application’s security model.
The J2EE specification, v1.4 defines programmatic security as consisting of two methods of the EJB EJBContext interface and two methods of the servlet HttpServletRequest interface. The Application Server supports these interfaces as specified in the specification.
For more information on programmatic security, see the following:
Section 3.3.6, Programmatic Security, in the J2EE Specification, v1.4