The technical article from Shing Wai Chan explains the security annotations defined in JSR 250 and demonstrates how to use them for securing an application with authentication and authorization in GlassFish and the JavaTM EE 5 SDK (formerly called the JavaTM 2 Platform, Enterprise Edition, or J2EETM).
With Java EE 5, developers can specify annotations in Java source files instead of putting metadata in deployment descriptors, Chan explains. This simplifies development with Java EE 5.
JSR 250 set annotations for common semantic concepts in the J2SE (formerly called the JavaTM 2 Platform, Standard Edition, now JavaTM SE) and J2EE platforms that apply across a variety of individual technologies. Chan defines five security annotations: PermitAll, DenyAll, RolesAllowed, DeclareRoles and RunAs. Examples of invalid use of annotations are also listed. A figure illustrates rules of inheritance of annotations and method permissions that apply.
A section of the article explains using deployment descriptors, even though they are simplified by using annotations. Chan explains "However, there are some scenarios in which we still need or prefer to use deployment descriptors." Code samples show how to "protect the GET and POST methods of index.jsp so that they are only accessible by the role employee", and other code shows overriding method permissions.
Read More ...