This had me looking through the docs for a while to find, so I thought I would share.
If you need to secure a Java EE app, be it a web or EJB module, and want to use container-based security instead of coding it yourself, JBoss provides a nice convenience model for pulling out Principals (users) and Roles (permissions) from a table in your database.
What you have to do is edit the file <jboss_home>/server/login-config.xml and add an entry using the org.jboss.security.auth.spi.DatabaseServerLoginModule. Here’s the one I’m using:
java:/AdminPanelDS select password from entry_user where username=? select role, 'Roles' from entry_user_roles where username=? SHA-1
After that, add to your applications WEB-INF/jboss-web.xml if it’s a webapp or META-INF/jboss.xml if it’s an EJB jar the name of your policy:
After that, obviously configure security using the @RolesAllowed annotation on the methods or class of your EJBs or the security elements in web.xml of your webapp
Further detail can be found at the JBoss Documentation.