hi shi,
Ans1) Decrative security means securing throgh the configuration in web.xml and Programatic security menas through the code (servlet ) u write.
Case1: dec security : here we can secure our web app through various decration like for Authentication we have :
<login-congig>
<auth-method>...</auth-method>
<form-login-config> ..</form-login-config>
</login-config>
for Authorization we have :
<security-constraint>
<web-resource-collection>
<web-resource-name>..</web-resource-name>
<url-pattern></url-pattern>
<http-method></http-method>
</web-resource-collection>
<auth-constraint>
<role-name>..</role-name>
</auth-constraint>
<user-data-constraint>
<transport-guarentee></transport-guarantee>
</user-data-constraint>
</security-constraint>
<security-role>
<role-name>..</role-name>
</security-role>
<security-role-ref>
<role-name>..</role-name>
<role-link>..</role-link>
</security-role-ref>
case2:
For programatic security we have got only three method defined:
boolean isUserInRole(
String rolename)
String getUserPrinciple()
String getRemoteUser();
So now u can see ,if we have to secure our web-app resources we must have to declare through web.xml that which resources have restircted access and who all in which role can access it.
Whereas in code (Programaticaly ) we can only determine if the resource is restricted or not .and if the user is authentic one.
regards
-santosh