Two basic approaches to implementing security are programmatic security, in which you embed explicit security calls directly into your code, and declarative security, in which you specify security policies using deployment descriptors and configuration files.

When making use of programmatic security, you embed security enforcement within the application with programmatic checks on policies, to determine what a user is allowed to do or see in the application, and then react to this information appropriately. Programmatic security can be useful, even required in some situations, especially in application contexts in which the expressive power of declarative security is insufficient. But programmatic security should be used with care. If the design and implementation are not clever and the developers are not careful, such checks become scattered and strewn throughout the application code. This situation can become extremely difficult to maintain because of duplicated code and nonuniform implementation styles. For example, a change in a particular piece of business logic might require changing several pieces of code. This is expensive, because there is more code to update and test, and also error-prone, because it’s difficult to ensure that you’ve covered all the bases when the code is implemented and distributed in an ad hoc fashion. So with programmatic security, the onus is on you to architect your security code in such a way that ...