In the ToDo application, we made several concessions both to fit into the J2EE notion of security and to live within the bounds of the default authentication mechanism provided by JBoss. That mechanism, if you recall, allows for the authentication of users using Java properties files. It’s simple and quick. But although it’s the perfect solution to get an application up and running quickly, we’re willing to bet you won’t want to deploy a real application with a user management process that involves manually editing files and redeploying your application.

In this chapter, we’ll see how we can configure the behavior of JBoss to allow for much more interesting security policies around applications. We’ll see how to make JBoss pull user and role information from a relational database and from an LDAP server, and we’ll see how to combine login mechanisms to better fit the needs of a real application deployment. We’ll also take a step back to the web tier and look at how to enable SSL support for secure access to applications.