I'd like to ask you, what security do you use in your projects. Declarative according J2EE specification or have you written your own stuff to secure your applications.
Example: In case of application which have only web interface to access EJB layer, do you secure EJBs as well or only web tier?
Some sources (documents, examples) would be appreciated, as on google I'm able to find only technical stuff (how and where put tags to web.xml and so on...), but I'm interested more on general patterns how to secure application to not reinvent wheel.
well we support both in jboss because sometimes you need more than declarative.
Declarative is kinda nice and simple, but a bit too simple. In Jboss you can specify an insertion of an interceptor we delegate to so as to run your own checks (see security proxies in doco).