It's easy to focus on just the big ticket changes in Java EE 7 such as WebSocket, JSON-P, JMS 2, JAX-RS 2, Java Batch, Concurrency Utilities and so on but there's actually a lot more going on pretty much across the board. One such set of important but easy to overlook changes are in JASPIC 1.1 (JSR 196).
In a very well written blog post, Arjan Tijms goes over the changes. He talks about the context/motivation for each change along with the technical details and sample code. He also references the very handy change log for JASPIC 1.1. It's a great read if you are interested in Java EE security.