The specification promotes self-contained application security portability across all Java EE servers, and makes use of modern programming concepts such as expression language and context dependency injection (CDI). It defines annotations specific to various authentication mechanisms, identity stores to handle user authentication, and common programming API to do programmatic Java EE security. It reduces the dependency on the deployment descriptors and application server based configuration for securing Java EE web resources.

Once you configure the appSecurity-3.0 feature, your application can annotate the authentication mechanisms and the identity stores that are needed. The applications can provide their own implementations to replace the application server provided ones. For example, you can create a custom authentication mechanism that you can bundle in your web application without the need to configure the login-config element in the web.xml file with one of the predefined auth-method types. If you also include your own IdentityStore bean in your application, your IdentityStore can be used to verify the user credentials without the need to configure a user registry in the server.xml .