We are developing a small EJB application for a university lecture using EJB 3.0, JBoss and Servlet (or JSP alternatively). Can we use the @PermitAll, @DenyAll, @RolesAllowed(Role), @RunAs(Role) annotations to secure our servlets? Or do we have to do it the traditional way, writing some session property after a user has logged in and then evaluation the session for every servlet (if session.getProperty("loggedin")==true then show servlet else redirect to 404)?