Chapter 5. Overview

Application security encompasses authentication, authorization, mapping and auditing.
Authentication
Process by which the server determines whether a user should be able to access a system or operation.
Authorization
Process by which the server determines whether an authenticated user has permission to access specific privileges or resources in the system or operation.
Mapping
Process by which the server associates authenticated users with predefined authorization profiles.
Auditing
Process by which the server monitors authentication and authorization security events.
In JBoss Enterprise Application Platform 5, authentication, authorization, and mapping policies are configured with application-level granularity using the concept of a security domain.
Security Domain
A set of authentication, authorization, and mapping policies which are defined in XML and are available to applications at runtime using Java Naming and Directory Interface (JNDI).
A security domain can be defined in the server profile or in an application deployment descriptor.
Auditing for EJB3 and the web container are configured independently of each other, and operate at the server level.
JBoss Enterprise Application Platform 5 uses a pluggable module framework to implement security, providing separation of security implementation and application design. The pluggable module framework provides flexibility in application deployment, configuration, and future development. Modules implementing security functionality are plugged into the framework and provide security functions to applications. Applications plug into the security framework through security domains.
Applications can be deployed in new scenarios with altered security configuration by associating them with a different security domain. New security methods can be implemented by plugging JBoss, custom-built, or third-party modules into the framework. Applications gain the security functionality of that module with no application recoding, by simple reconfiguration of the security domain.
Chapter 6, Security Domain Schema describes the XML configuration of a security domain.
Chapter 7, Authentication contains detailed information about security domain authentication policy.
Chapter 8, Authorization contains detailed information about security domain authorization policy.
Chapter 9, Mapping contains detailed information about security domain mapping policy.