J2EE Security (in my mind) is just using the already available java security (JCE, JAAS..) and implementing them on the J2EE side with regard to Servlets, JSP,EJB...
J2EE Security also entails using the already available security that is provided by the container being used such as the <CONFIDENTIAL> attribute that has been mentioned.
The book that Brian is promoting talks in detail about these details. I highly recommend it