I think the 3rd option is not correct:
Servlet Specification 3.0 contains these entries in the Change Log:@javax.annotation.security.RolesAllowed
A.1 Changes since Servlet 3.0 Proposed Final Draft
...
4. Added a new annotation - @ServletSecurity (and associated annotation for the fields) for defining security as opposed to re-using the @RolesAllowed, @PermitAll, @DenyAll
...
It looks like it was almost included, but then replaced with @ServletSecurity and now it's not supported.A.2 Changes since Servlet 3.0 Public Review
...
7. Added support for security related common annotations - @RolesAllowed, @PermitAll, @DenyAll
...
@RolesAllowed is also missing from the list of all the annotations that must be supported mentioned in the explanation at the bottom.