... Or in some cases, Spring can enhance existing J2EE functionality. For example, I use Spring Security, which provides a better authentication model but I'm still using J2EE authorization in some places since Spring appropriately sets the Principal value in the request object of
servlet invocations. So I can use request.isUserInRole() to enforce fairly granular authorization rules. At the same time, I can use simple Spring security configuration to handle more coarse grained authorization rules.