You have determined the authentication mechanism to use.
More information about authentication mechanisms: AS Java Authentication Infrastructure .
You have determined your authorization strategy.
In your application, decide what you want to protect, how to group your permissions, and what to call them.
More information: Approaches to Protecting Applications .
To protect a Java application, you must deny access to users, who do not have the required authorizations. To do this, you must first require the users to authenticate themselves. After the user is authenticated, the system can check if the user has the required authorizations to work with the application.