There are two fundamental ways of controlling access to sensitive code:

• Declarative authorization can be performed by a system administrator, who configures the system's access (that is, declares who can access which applications in the system). With declarative authorization, user access privileges can be added, changed, or revoked without affecting the underlying application code.
  
  
• Programmatic authorization uses Java application code to make authorization decisions. Programmatic authorization is necessary when authorization decisions require more complex logic and decisions, which are beyond the capabilities of declarative authorization. Since programmatic authorization is built into the application code, making programmatic authorization changes requires that some part of the application code be rewritten.

You'll learn about both declarative and programmatic authorization techniques in this tutorial.