EJB elements operate inside a container environment and rely heavily on the container to give security. The four key services needed for the security are:
1. Identification: In Java security APIs this identifier is define as a principal.
2. Authentication: To show the identity one must present the credentials in the form of password, digital certificate, swipe card, finger prints etc.
3. Authorization (Access Control): Every secured system should limit access to particular users. The common route to enforce access control is by maintaining security privileges and roles.
4. Data Confidentiality: This is performed by encryption of some sort. It is no good to shield your data by authentication if someone may read the password.
The EJB specification services itself exclusively with authorization (access control). An application using EJB may specify in an abstract (declarative) and portable way that is allowed to access business functions. The EJB container accepts the following actions: