Java security principals and roles represent identities and authorization roles, respectively. Principals and roles are usually configured in the application server in vendor-specific ways. Authenticated requests are bound to a principal during the execution.

One example of using the associated roles within the execution workflow is by using common security annotations such as @RolesAllowed. This declarative approach checks whether the principal is authorized correctly and will otherwise result in a security exception:

import javax.annotation.security.RolesAllowed;

@Stateless
public class CarManufacturer {

    ...

    @RolesAllowed("worker")
    public Car manufactureCar(Specification spec) {
        ...
    }

    @RolesAllowed("factory-admin")
    public void reconfigureMachine(...) {
        ...
    }

Besides vendor-specific solutions, users and roles can be extended to contain domain-specific information. The Principal security type is enhanced in order to do so.

It is possible to inject the principal that is identified by its name and to provide a specialization. The container takes care of the user identification, for example, by using form-based authentication.

This approach was especially advised prior to Java EE version 8. However, modern applications will likely use identity stores to represent domain-specific user information.