One of my tasks for the current iteration was to add security constraints to the J2EE web service that we are currently developing. This is the easy part. Simply define the appropriate security-constraint , login-config , and security-role elements in the project's web.xml . web.xml <web-app xmlns="http://java.sun.com/xml/ns/j2ee" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://java.sun.com/xml/ns/j2ee http://java.sun.com/xml/ns/j2ee/web-app_2_5.xsd" > <display-name> ... </display-name> <servlet> ... </servlet> <servlet-mapping> ... </servlet-mapping> <security-constraint> <display-name> deny unauthorized users </display-name> <web-resource-collection> <web-resource-name> global </web-resource-name> <url-pattern> / </url-pattern> <url-pattern> /* </url-pattern> ...