EJB 3.0 has specified following attributes/annotations of security which EJB containers implement:
DeclareRoles - Indicates that class will accept those declared roles. Annotations are applied at class level.
RolesAllowed - Indicates that a method can be accessed by user of role specified. Can be applied at class level resulting which all methods of class can be accessed buy user of role specified.
PermitAll - Indicates that business method is accessible to all. Can be applied at class as well as at method level.
DenyAll - Indicates that business method is not accessible to any of user specified at class or at method level.