In today's world, IT security is quite an important aspect. In the past, some of the biggest security issues were weak encryption and hashing algorithms, how passwords are persisted, and home-grown security implementations. A few important security principles include encrypting the communication, using external, trusted security providers for authentication and authorization, avoiding keeping credentials under version control, and including test scenarios that verify protection.

Communication is usually encrypted in the transport layer using TLS. Used certificates should be signed correctly, either by a company-internal or official certificate authority. Other approaches includes using security features of the protocol layer, such as HTTP basic authentication on top of encrypted communication.

Decentralized security decouples authentication and authorization responsibilities from the applications by including trusted identity providers. Single sign on as well as decentralized access delegations protocols are examples for this.

Security in Java EE application boundaries is usually realized on top of Servlets. The Security API which was introduced in Java EE 8 aims to provide simpler, uniform approaches on how to tackle security in Java EE applications. HTTP authentication mechanisms are an example that provide easier usage of the powerful JASPIC functionality. Identity stores provide authentication and authorization information of users.

The idea of the Security API is to integrate with existing functionality and offer uniform access mechanisms. The included features should be sufficient to secure enterprise application on the HTTP side.