Originally posted by Gopi Balaji:
One could use declarative security for authentication, and programmatic security for authorization.
Originally posted by Simon Brown:
However, while declarative security can restrict who sees a specific resource such as a JSP, it can't help with controlling whether or not that person is authorized to see the information displayed on that page.
A good place for this type of logic (on the web app side) would be servlet filters or custom tags.