Like other Apex classes, you can specify whether a user can execute methods in a custom controller or controller extension class based on the user's profile.
Permission for an Apex class is checked at the top level only. For example, if class A calls class B, and a user profile has access only to class A but not class B, the user can still execute the code in class A. Likewise, if a Visualforce page uses a custom component with an associated controller, security is only checked for the controller associated with the page. The controller associated with the custom component executes regardless of permissions.
To set Apex class security from the class list page:
To set Apex class security from the class detail page: