In the simplest way, security in web applications can be implemented by proxy web servers, such as Apache or nginx. In that case, the security responsibilities are transparent to the application.
This is often the case if the enterprise application doesn't have to deal with users as domain entities.