The J2EE Agent mechanisms for protecting Web and EJB (Enterprise JavaBeans) modules have far more granularity than what you can configure on the J2EE application server. With the agent, you can be very selective of what you are protecting. For a Web application, you can select to protect a specific page or group of pages. For an Enterprise JavaBean, you can select to protect a bean, an interface, a method, or a parameter. After you have selected the granularity of the resource you want to protect, you can then configure a policy that grants access to this resource. You can use roles as part of this policy, but you can refine it by using other criteria such as LDAP attributes, credential profile attributes, or the day of the week.
The J2EE Agent also allows you to decide how you want authorization handled. You can use the security settings configured on the application server, you can use the Authorization policies configured on the J2EE Agent, or you can use both methods.
The following sections explain how to set up security for your J2EE resources: