A Java EE web-application can be configured to restrict access to resources via the deployment descriptor (web.xml). Authentication does not need any programming, as it is handled by the container (provided it is properly configured). Here are two ways to implement declarative authentication in Java EE web applications: Basic Authentication The web.xml snippet below uses BASIC authentication: Form Authentication In the snippet below, the section has been changed to use FORM authentication. This will require an additional login form to be created with j_security_check as it's action. The following is the sample form: Other possible values for are DIGEST and CLIENT-CERT.The value of essentially defines whether SSL is required or not. If the value is INTEGRAL or CONFIDENTIAL, then you can assume that an https request is required to access the resource.