I'll recommand reading IBM redbook SG246573 (free download from http://www.redbooks.ibm.com
) chapter 6 through 8, these chapters are enough generic to be applied to any J2EE server. It's really excellent, you can find all what you need to configure security in a J2EE system (declarative and programatic security, client side and server side authentication,JAAS, CSIV 2,LTPA, J2EE client and thin java client...).
Best security practices are, really, well commented
[ August 19, 2005: Message edited by: Marie Pierre Courbevoie ]