We had started this chapter by discussing the basic concepts of security and the difference between authentication and authorization.

JBoss uses the PicketBox framework sitting on top of the Java Authentication and Authorization Service (JAAS), which secures all the Java EE technologies running in the application. The core section of the security subsystem is contained in the security-domain element that performs all the required authorization and authentication checks.

Then we took a much closer look at the login modules, which are used to store the user credentials and their associated roles. In particular, we learned how to apply the file-based UserRoles login module and the Database login module. Each login module can be used by Enterprise applications in either a programmatic or declarative way. While programmatic security can provide a fine-grained security model, you should consider using declarative security, which allows a clean separation between the business layer and the security policies.

Finally, in the last section of this chapter, we have covered how to encrypt the communication channel using the Secure Socket Layer and the certificates produced by the keytool Java utility.