Configuring Security Roles Using Annotations in Web Applications 
There are two annotation configuring security settings:
@DeclareRoles
This annotation declares the security roles defined by the application.
@RunAs
This annotation maps the application's security role to an existing security role.
Procedure
Using the @DeclareRoles Annotation
Use this annotation at class level, passing the role name as an attribute.
Example
@DeclareRoles("Customer") public class CustomerServlet extends HttpServlet{ //… public void doGet(HttpServletRequest req, HttpServletResponse resp) { //… out.println("@DeclareRoles Test : "); out.println("isUuserInRole Customer = " + req.isUserInRole("Customer")); //… } }
End of the code.
The @DeclareRole("Customer") statement would be equivalent to defining the following security role in the web.xml deployment descriptor.
Syntax
<web-app> … <security-role> <role-name>Customer</role-name> </security-role> … </web-app>
End of the code.
Using the @RunAs Annotation
Use this annotation at class level, passing the role name as an attribute.
Example
@RunAs("Customer") public class RunAs_servlet extends HttpServlet{ //… public void doGet( HttpServletRequest req , HttpServletResponse resp){ @EJB ShopingCart customerCart; //.... customerCart.getTotal(); } }
End of the code.
The @RunAs("Customer") statement would be equivalent to defining the following security role in the web.xml deployment descriptor.
Example
</web-app> … <servlet> <servlet-name>RunAs_servlet</servlet-name> <run-as>Customer</run-as> </servlet> … </web-app>
End of the code.