Invocation of a secured method on a servlet
The server turns to the configured SecurityManager for the servlet. JBoss has a default SecurityManager bound to JNDI under java:/jaas/
The default SecurityManager uses the last part of the JNDI name to determine the security domain and looks up the configuration for this domain from login-conf.xml
Each LoginModule that has been configured for the security domain is called and asked if it can authenticate the user with the given name and credentials (for example a password)
In the given example the deployed and secured unit is a servlet. The mechanism works nearly the same for EJBs, thus you only need to exchange the following names to get an example for this.
The file login-config.xml is located in the conf directory of your server configuration, which is jboss-3.2.x/server/default/conf/ for the default configuration.
A LoginModule that was able to authenticate a user with the given credentials can then associate one or more roles to the user. The server then checks the authorization by seraching through the defined roles in web.xml. At least one of the roles is needed before access is granted.