I'm looking at the Java EE 6 specification section EE.6.25, which indicates that web containers must support the following annotations: @PermitAll, @DenyAll, @RolesAllowed, @DeclareRoles and @RunAs.
EE.6.25 Common Annotations for the Java™ Platform 1.1 Requirements
The Common Annotations specification defines Java language annotations that are used by several other specifications, including this specification. The specifications that use these annotations fully define the requirements for these annotations. The applet container need not support any of these annotations. All other containers must provide definitions for all of these annotations, and must support the semantics of these annotations as described in the corresponding specifications and summarized in the following table.
Table EE.6-5 Common Annotations Support by Container
Annotation App Client Web EJB Resource Y Y Y Resources Y Y Y PostConstruct Y Y Y PreDestroy Y Y Y Generated N N N RunAs N Y Y DeclareRoles N Y Y RolesAllowed N Y Y PermitAll N Y Y DenyAll N Y Y
Down a bit further in the spec., it says, "...the web container is now required to support the RolesAllowed, PermitAll, and DenyAll annotations. The Servlet specification and the JAX-RS specification contain the details."
It doesn't mention the JSF spec., so I am assuming that these annotations cannot be used on managed beans. Why not?
How is a cross cutting concern such as authorization implemented in the web tier on objects that are not servlets or filters and besides using page-level declarative security in web.xml?
...and the answer is... an EJB is a CDI managed bean. To use @RolesAllowed on a managed bean simply turn it into an EJB and enjoy. Here's an example of an EJB used as a backing bean!