A secured application uses one or both of the security qualifiers securityPermission and securityIdenitity. When these qualifiers are present, there are additional steps that must be taken at deployment time in order that the application and its security features work correctly.
Applications implement interfaces that have methods. You can secure an interface or a method with the Service Component Architecture (SCA) qualifier securityPermission. When you invoke this qualifier, you specify a role (for example, "supervisors") that has permission to invoke the secured method. When you deploy the application you have the opportunity to assign users to the specified role.
The securityIdentity qualifier is equivalent to the RunAs role used for delegations in WebSphere Application Server. The value associated with this qualifier is a role. During deployment, the role is mapped to an identity. Invocation of a component secured with securityIdentity takes the specified identity, regardless of the identity of the user who is invoking the application.