In web applications if there is a requirement to protect the site to restricted users or groups of users there are different ways to achieve it. The traditional way of doing it is to have it the program way, to have the users and group information stored in a database and providing a login page to allow a user to login. The user credential is authenticated and the application authorizes him/her access to features and functionalities based on the privileges available to him/her. All these information comes from the data store which could again be administered and managed through separate programs or part of the same application. The user administration will have to be part of the requirement and will require effort implementing through program code.
With declarative security, the application server container takes care of protecting resources of the web application through roles, authorization and group management and appropriately restricts the user from getting into or accessing specific pages in the web site. J2EE certified application servers support declarative security. The authorization details can be mentioned through the web deployment descriptor (web.xml). The Weblogic resource “Declarative Security” has some insights on using web.xml to protect the resources. The security chapter in J2EE tutorial is also a good resource to understand declarative security. The best way to have an efficient security is to have a combination of security approaches as this article “Declarative Web Application Security with Servlets and JSP” explains it with samples.