most sample applications in
ejb books are using declarative security, but I am wondering how it is happen in real project. Because in that case, Your users will be managed by the Application Server, all users have to be configured in the deploy descriptor, how are you going to add users programmically?
In petstore, it doesn't use any J2EE security feature(HTTP basic authentication, SSL authentication, or form-based login), instead, it uses EJB and SignOnFilter to handle this. Why doesn't it use declarative security to handle login, etc.?
anyone show some light on it? thanks!