要举的 Oracle文档：

在Sun Java System Application Server安全模型基于一个认证的用户会话。一旦会话已创建的应用程序用户进行身份验证（如果使用了身份验证），并登录到会话。从接收EJB请求的servlet的每次交互一步做了两件事：生成一个JSP内容格式化输出，并且检查用户是否正确验证

The Sun Java System Application Server security model is based on an authenticated user session. Once a session has been created the application user is authenticated (if authentication is used) and logged in to the session. Each interaction step from the servlet that receives an EJB request does two things: generates content for a JSP to format the output, and checks that the user is properly authenticated.

一个会话是指识别和服务器标记属于一起HTTP（S）请求。 Servlet可以识别属于一个已知会话的新要求，并能坚持沿着一个会话的请求的信息。使用这种只会返回正确的内容，如果它记住用户已在本届会议期间成功验证（如果该机制已被设置）。

A session means HTTP(S) requests which are identified and tagged by the server to belong together. The servlet can identify a new request belonging to a known session and can persist information along the requests of a session. Using this it will only return the proper content, if it has memorized that the user has successfully authenticated during that session (if that mechanism has been configured).

因此​​，了解会议（以上链接），然后继续进行身份验证的文档，例如看到这里。

Thus read about session (link above) and then continue with the documentation on authentication, e.g. see here.