Application level security falls in the hands of the J2EE Developer. Even this can be divided into three separate roles:
Application Developer - responsible for security at the development level and for defining the roles, rules and business logic into the application logic.
Application Assembler - responsible for ensuring that the packaging of EAR's and WAR's is done so that cross-application vulnerabilities are minimized.
Application Deployer - responsible for securing the deployment of EAR's and assigning and maintaining access control lists.
It is not uncommon for all three roles to be played by the same set of developers.
JBoss EAP 6, as a component platform, provides declarative security. Rather than embed security logic into a business component, you describe the security roles and permissions in a standard XML descriptor. This way, business level code is isolated from the security code. Read more about declarative security in JBoss EAP 6 here Section 2.4, “About Declarative Security”
Declarative security is bolstered by programmatic security. J2EE developers can use J2EE APIs in code to determine authorization and enforce enhanced security.