Hi,

I'm basically pretty much a newbie when it comes to JBoss and I'm trying to get a handle on security from reading the online documentation, mailing list, mailing list archives and of course the forums. Oh yea, I've read Scott Stark's jbossSX article at JavaWorld but I'm still kinda lost.

I'm trying to secure JSPs and servlets which use a regular javabean to communicate to the EJBs in JBoss as well as the EBJs themselves and it seems that everything I find pertaining to that kind of environment pertains to web containers integrated in the same JVM as JBoss itself. My setup dictates that the web container (Tomcat 4.0) runs on a separate system from JBoss. (2.4.1)

I'd like to be able to use a database as a datasource for usernames/roles/passwords. I would use DatabaseServerLoginModule instead of UsersRolesLoginModule? If so, how do I even configure my web app and JBoss to use it?

Would the regular bean in the web app be written similarly to SessionClient.java from the JBoss docs JAAS Howto?

Example code would be most helpful. Sorry for such a broad question that requires such depth to explain but I think this would help many folks out there come to grips with J2ee security within JBoss.