I just attempted to read the security chapter in the JBoss book and I'm feeling like that was a mistake, there seems to be too much there to comprehend.

Is there a really easy way to do the following:

1. Protect web resouces with a password
2. Protect EJB resources with the same authentication ie propagate the servlet logon to the EJB layer
3. Adminster the users and groups for authentication
4. Query the logged on user from a servlet and EJB context
5. Assign permissions to users and groups on an application basis

What classes do I have to write to do this ?

Is there an action diagram or similar describing step by step what happens when a user tries to access web and servlet resources ?

I've written JAAS login modules and callbacks as well as WL security realm implementations before but I'm finding this tough going at the moment.