The focus here is specifically J2EE security, which is a type of application security because it deals with a J2EE application's users (i.e., callers).

There are five main functions when considering application security:
authentication,
authorization,
registration,
account maintenance (updates),
and account deletion/inactivation.

these functions are
knowing the user (authentication),
knowing what the user can do (authorization),
creating new users (registration),
updating user information (account maintenance),
and removing a user or preventing a user from accessing the application (account deletion).

As will be illustrated, all of these functions cannot be accomplished without a custom solution。

Java Runtime Environment (JRE)/container and application authorization.JRE/container authorization is the process of determining whether the user making the request has privileges to do so. The JRE/container determines this prior to any code executing. An example is a J2EE container that must first check whether the current user has permissions to execute a servlet (via a resource URL constraint) before executing the servlet. This type of authorization is also known as declarative security because it is declared in the configuration files for the Web application.