In order to secure your Java EE application today, you will most likely have to use some vendor proprietary features or 3rd party frameworks, or both.
The existing set of specifications range from overly complex to non-existent which has resulted in that almost nobody uses standards for security in Java EE applications.
The Java EE Security API (JSR 375), which is targeted for the upcoming Java EE 8 and 9 releases, addresses this issue by standardizing security APIs and establishing a common terminology. Features that are planned for the first version include APIs for authentication, authorization, user context, security context and more.
This demo-driven session will get you up to speed with the current state for this JSR and 'Soteria', the Reference Implementation. The slides will be backed up of live code examples.