I read this tutorial and installed the examples. They work fine.
In my servlets, no EJBs are used. I only want to secure my web application. I tried to use the example auth.conf-file from the tutorial and specified <security-domain>java:/jaas/example1</security-domain> in the jboss-web.xml deployment descriptor. But it still is ignored and I get into the application without being prompted for a password. I wondered where to put the roles.properties and the users.properties files within a web-application. I put it in /WEB-INF/classes.