Security in applications is a never-ending story. Most of the knowledge about how to build secure applications is derived from knowledge and experience. And we've all done the same mistakes every Java EE developer does over and over again. But how to solve the real business requirements behind access and authorization with Java EE? Can I have a 15k rights matrix? Does that perform? How to secure the transport layer? How does session binding works? Can I implement 2-Factor-Authentication? And what about social integrations? This talk outlines the key capabilities of the Java EE platform and introduces the audience to additional frameworks and concepts which do help by implementing all kinds of security requirements in Java EE based applications.