You can check servlet spec 3.1 (security chapter) for how they are used in web tier. I would think you can apply these security annotations on servlet class and methods to guard a servlet, or select http methods thereof. I don't think they are applicable to other web components.
For EJB, they are a more natural fit since EJB invocations are all method-based.
They are not for managed beans, either jsf managed beans or Java EE Managed Beans.
@RolesAllowed, @DenyAll, etc can only be used on EJBs that are deployed in your web application (in the so called "web tier").
(This looks like it was a late change to the Servlet 3.0 spec btw)
I am wondering why @RolesAllowed, @DenyAll etc. are not supported on managed beans. Is it an architectural thing? Bad design practice? I did come across Delta Spike, http://incubator.apache.org/projects/deltaspike.html, whose aim is to provide extensions to CDI that would include security. Still in its infancy but interesting.