Use the application's ACL (file -> application -> access control list) to control which user can do what.

Any user who has not logged in is "Anonymous".
Any user who has logged in, but does not have a special entry (name or group) in the ACL is "-Default-".

To create documents, a user needs at least "author" access with the checkbox "create documents". With this access, the user can create a document, but cannot edit it unless the document contains a field of type "author" with the name of the user in it.
A user with level "editor" can edit every document he can see.

Control who can use a specific XPage

As an addition to the application's ACL every XPage has an ACL, too. You find it in the XPage properties -> all properties -> data -> acl.
There you can create ACL entries with a name, access level and user type.

User name is:

Anonymous for not authenticated users
-Default- for authenticated users whitout a entry of their own
A user name
A group name
A role

Write a role as [role].

Read more at the XPages Blog

Additional measures

In a XPages application you might want to ensure that only your XPages elements are being used to access data.
Here are some tips to disable elements of classic Domino web development.

Hide forms

No Notes form is needed in the web, since the XPages are providing the UI.
Enable the "hide design element from: web browsers" property for all forms.

Or, if you some forms has to be visible to web browsers, make sure that they display only the information you want them to display. Do not rely on that users only work with our XPages, since a simple ?EditDocument command uses the plain form again.

Prevent web user from accessing views directly

Create a $$ViewTemplateDefault form which is blank or just contains a message like "Nothing to see here".

Set form formula in the 0 view

Create a view named "0". Set form formula to a form which is just blank.

Hide views

Set the "hide design elements from: web browsers" properties on all views not needed in the web.

Block a XPage from users not having a role

X-Page -> All Properties -> rendered

var v:Array = database.queryAccessRoles(session.getEffectiveUserName());
@IsMember("[role]", v)

As an alternative you could redirect to another page in BeforePageRendered event of the XPage using context.redirect() when the user does not have the role.

Check your agents

Check which agents are available from the web.
Check with which ID your agents are running if they are executed from the web. A standard agent runs with the ID with which it is signed. Check for the property "run as web user", this makes the agent run with the rights of the current web user.

Check what your application does on certain URL commands

There are many URL commands in Domino. Check if your application does what it should on these commands:

db.nsf?OpenDatabase
db.nsf/0?ReadViewEntries
db.nsf/0?ReadDesign
db.nsf/0/$first?OpenDocument
db.nsf/otherwebviews?ReadViewEntries
db.nsf/otherwebviews?ReadDesign
db.nsf/otherwebviews/$first?OpenDocument
db.nsf/$defaultNav?OpenNavigator
db.nsf/$defaultform?OpenForm

You can create some redirection rules for your Global Web Settings (found in internet sites in your Domino Directory) so that these potential dangerous URLs are redirected to some error page.
Here is an example: