Security can be managed either by a web container (the environment in which an application runs) or by the application itself. A web container is synonymous to a JEE application server, such as IBM® WebSphere® Application Server or Apache Tomcat. Web container-managed security is also known as JEE or J2EE security. Security that is written by the developer of the application, application-managed security, is also known as custom security. Both kinds of security have advantages and drawbacks that you must understand before you implement them.
You can choose to use either declarative or programmatic security. In declarative security, security policies are defined outside of the application in deployment descriptors or configuration files so the application is security-unaware. With programmatic security, the application code contains explicit security calls.
Web container-managed (JEE) security is declarative because security constraints are defined in deployment descriptors or configuration files. JEE security can also be programmatic because it includes some security-related APIs that can be called from within an application. Application-managed (custom) security is programmatic because security is handled completely from within the application.