Michael,
I think you posted this twice, but that's OK - I'll respond here, too.
It depends on what you're looking for. In chapter 9, we show how to add
J2EE declarative security (FORM-based authentication) to the web site. Then, we show how to connect with JAAS (
Java Authentication and Authorization Service) to authenticate/authorize the user. We use role-based security so that users in a particular role can only see certain pages. We show how to protect JSPs and Action URLs (so that only authorized users can execute your business logic).
We chose JAAS because:
1) JBoss security is based on JAAS.
2) You can swap out security realms (DBMS, Operating System, etc.) without changing your code.
We show how to configure JBoss to use a JAAS LoginModule that uses database tables for user authentication/authorization.
We also show how to propagate your security context (user/role) to the EJB tier from the web tier. But, if you don't use the Remote Interface for EJBs (or you don't use them at all), then the web-tier security is sufficient.
We also have an Appendix that covers JAAS in greater depth than the security chapter.
Tom