most sample applications in ejb books are using declarative security, but I am wondering how it is happen in real project. Because in that case, Your users will be managed by the Application Server, all users have to be configured in the deploy descriptor, how are you going to add users programmically? In petstore, it doesn't use any J2EE security feature(HTTP basic authentication, SSL authentication, or form-based login), instead, it uses EJB and SignOnFilter to handle this. Why doesn't it use declarative security to handle login, etc.? anyone show some light on it? thanks!
Yes your suspicion is right. You cannot use declarative security for users that are managed by you (your application). So, you must be wondering when exactly is declarative security useful. I could think of one scenario : Consider there is a group of applications (not users) that must call your EJBs etc. for some work. These apps could be assigned user ids, and passwds, which they can use while logging into your app. and calling your EJBs or whatever. Since, number of these apps etc.. are pre-known this would work.