I guess a senior J2EE developer or a Java/J2EE architect can perform this function. I am not sure if this is a full-time role unless the site is huge. [ June 23, 2007: Message edited by: arulk pillai ]
I guess once the J2EE security infrastructure is built , there is no regular changes required that a project would need a full time J2EE security specialist.
But have seen or heard of J2EE consultants with security as specialization.