I'm trying to modify an existing application that uses JBoss Application Server 4.0.3, and I find myself confused about how to secure web services with Basic Authentication. The AS documentation says all I need is a web-service.xml document, and that's all I have, but the only tutorial I found on securing web services wants edits to jboss.xml and ejb-jar.xml. There are no ejb-jar.xml or jboss.xml files anywhere to be found. I figure I can add the security policy to the application's login-config.xml easily enough, but I have no idea how to tell JBoss to use that policy for the web service only. What am I failing to understand?