Declarative v/s Programmatic

You can restrict access to servlets and other resources in a Web Application by using security constraints. Security constraints are defined in the Web Application deployment descriptor (web.xml). There are three basic types of security constraints:

* Constraining resources by roles and/or resource * Secure Sockets Layer (SSL) encryption * Programmatic authorization

Roles can be mapped to a principal. Specific resources can be constrained by matching a URL pattern to a resource in a Web Application. You can also use Secure Sockets Layer (SSL) as a security constraint.

You can perform authorization programmatically, using one of the following methods of the HttpServletRequest interface:

* getRemoteUser * isUserInRole * getUserPrincipal

For more information see the javax.servlet API.