JBossSX uses JAAS as the underlying security infrastructure. The central point of JBossSX is the SecurityDomain that acts a bit like a customs office for foreigners. Before the request crosses JBoss AS borders, the SecurityDomain performs all the required authorization and authentication checks and eventually notifies the caller if he/she can proceed.

Security domains are generally configured at server startup and subsequently bound into the JNDI tree under the key java:/jaas/. The security service configuration is declared in the server/xxx/deploy/security/security-jboss-beans.xml file. This is the most relevant portion of it:

<bean name="XMLLoginConfig" class="org.jboss.security.auth.login.XMLLoginConfig"> <property name="configResource">login-config.xml</property> ...