OK. Here is a useful link: 4.3.2. Security Using a Database
The section right above this one also has some necessary information:
4.3.1. Configuring the Security Domain
Basically, unlike Tomcat, there are no Realms in JBoss for security.
The security parameters are specified in login-config.xml with the attribute "<application-policy name="[policyName]">"
Your app references this policy throug jbos-web.xml which is placed in your app's WEB-INF directory.
A MAJOR QUESTION STILL REMAINS: If you deploy an app that uses a custom security policy (rather than the default), do you need to go in and manually edit the login-config.xml?
In Tomcat, there is a context.xml that enables you to deploy security realms in an addendum to the server.xml without having to edit the server.xml. Does JBoss have a similar concept?
Thx. And sorry for the late night rant. :)