In the Java Persistence API, you don’t need to provide an XML descriptor to specify the primary key, while you do need to provide a back pointer reference in a bidirectional relationship, unlike the Entity Bean specification version 2.1.
Java Server Faces can act as a front controller (i.e. no GUI) and unlike Custom Tag Libraries and much like a Servlet.
JSF does save view state, but cannot be previewed outside the container.
JCA = Java Cryptography Architecture as well as Java Connector Architecture. Having overloaded acronyms in the same domain is confusing. Java Cryptography Extension is packaged with JCA – guess which JCA? JAAS is the Java Authentication and Authorization Service. While the former supports RSA, DSA, AES etc, the latter abstracts authentication APIs as well as permissions API. JSSE is Java Secure Socket Extension – it is primarily used for TLS, SSL, Kerberos, SASL.
Weirdly enough JNLP applications that are running without their jars signed can interact with System properties and the clipboard. Well, in a way that’s understandable if you know what Web Start is supposed to be used for.
A single Sign-On delegator pattern is great for improving availability of remote security services, but doesn’t protect against weak session identifiers. Filtering for HTML tags is a good idea when accepting input reviews - especially look for applet, script or frames and possibly div tags too. You don’t want folks entering scripts that get rendered somehow to grab other users data when viewed.