There are three parts to securing web apps.
1. Create a security domain in the login-config.xml file that is in the conf directory.
2. in jboss-web.xml in your WEB-INF directory that points to the security domain, like Jaikiran posted.
3. in your web.xml create a security role and use it as a security contraint, like you posted.
You can test this out by using the web-console security domain that is already in the login-config.
Check out these links
http://wiki.jboss.org/wiki/Wiki.jsp?page=SecureAWebApplicationInJBoss http://wiki.jboss.org/wiki/Wiki.jsp?page=SecureTheJmxConsole Some key points to keep in mind, especially when using the UsersRolesLoginModule. First is that the properties files need to be in the classpath of your app.
So in this example
the props directory has to be in the root of your classpath. and of course the files have to exist, and they are text files with a name=value on each line.
Also try looking at the console during startup and try to find it deploying the security domain. I don't recall ever needing a jboss.xml
Definitely just try to get the jmx-console to be secure and go from there.
Good Luck
Mark
You exception says it is looking for defaultUsers.properties, but in your security domain it says the files name is my-web-users.properties. Different names there?