I'm looking at a table in the JEE 6 specification section EE.6.25 that seems to indicate that web containers must support the following annotations:
EE.6.25 Common Annotations for the Java™ Platform 1.1 Requirements
The Common Annotations specification defines Java language annotations that are
used by several other specifications, including this specification. The specifications
that use these annotations fully define the requirements for these annotations. The
applet container need not support any of these annotations. All other containers
must provide definitions for all of these annotations, and must support the semantics
of these annotations as described in the corresponding specifications and
summarized in the following table.
Table EE.6-5 Common Annotations Support by Container
What kinds of objects can these @RolesAllowed and @DenyAll be used on in the web tier? Can these annotations be used with managed beans? If not, why not?
You can check servlet spec 3.1 (security chapter) for how they are used in web tier. I would think you can apply these security annotations on servlet class and methods to guard a servlet, or select http methods thereof. I don't think they are applicable to other web components.
For EJB, they are a more natural fit since EJB invocations are all method-based.
They are not for managed beans, either jsf managed beans or Java EE Managed Beans.
@RolesAllowed, @DenyAll, etc can only be used on EJBs that are deployed in your web application (in the so called "web tier").
(This looks like it was a late change to the Servlet 3.0 spec btw)
I am wondering why @RolesAllowed, @DenyAll etc. are not supported on managed beans. Is it an architectural thing? Bad design practice? I did come across Delta Spike, http://incubator.apache.org/projects/deltaspike.html, whose aim is to provide extensions to CDI that would include security. Still in its infancy but interesting.