first of all ,you should take a look at JAAS spec, as you look through it you will find that you need to define some roles in your ejb-jar.xml and then specifing each ejb or yur web  resources a needed role who can access it , after it ,you will use JAAS as an interface for all accesses I mean you get an instance of JAAS and the you tell it what to call or which object to be executed through this interface and the JAAS will help you in the security  issue such as if the user can access this resource or not.

First u need to set a security  constraint in your web.xml:

<security-constraint>
<web-resource-collection>
<web-resource-name>Laundery Servlet</web-resource-name>
<url-pattern>/restricted/*</url-pattern>
</web-resource-collection>
<!-- can only be accessed by registered mafia users. -->
<auth-constraint>
<role-name>mafia</role-name>
</auth-constraint>
</security-constraint>

<!-- allow any *authenticated* user to access the "restricted" URL -->
<!-- We want to use FORM based login with the login.jsp form. Use
loginFailed.jsp to handle errors -->

<login-config>
<auth-method>FORM</auth-method>
<form-login-config>
<form-login-page>/login.jsp</form-login-page>
<form-error-page>/loginFailed.jsp</form-error-page>
</form-login-config>
</login-config>

<security-role>
<role-name>mafia</role-name>
</security-role>

then in jboss-web.xml u chose login policy: the policy is define in
login-config.xml in jboss-home.
<jboss-web>
<security-domain>java:/jaas/other</security-domain>
</jboss-web>


if u use security on your web  tier jboss  force u to have security on
your ejb to, if u dont use it you get AccessException.
in jboss.xml u chosse policy
<jboss>
<security-domain>java:/jaas/other</security-domain>
</jboss>

in ejb-jar.xml u set premision on your methods in ejbs, in you dont
whant premission on your ejb you cant use <unchecked/>:
<method-permission>
<role-name>mafia</role-name>
<method>
<ejb-name>SicilianLaundry</ejb-name>
<method-name>launder</method-name>
</method>
<method>
<ejb-name>SicilianLaundry</ejb-name>
<method-name>create</method-name>
</method>
<method>
<ejb-name>SicilianLaundry</ejb-name>
<method-name>remove</method-name>
</method>
</method-permission>

<security-role>
<role-name>mafia</role-name>
</security-role>

actually, I'm not about to work with SSL & HTTPS cause I'm working on a web  app. with average and over security  to authenticate users  to let them access authorized resources and also your opinion while I'm using JBOSS, Hibernate, Struts.

Actually because you are working on a web  app, you have to have a secure connection. You need to protect the data that is transferred over the air or wire against malicious manipulation and unauthorized access. The user needs to prove that s/he is the one s/he is claiming to be. You need data encryption for sure, it is very risky and insecure to only define rules and access privileges for your server resources. How do you know if the data is stolen on the way to server?

Here is an example of a secure web service access, it might not be %100 what you want, only read it from the secure web access perspective
java.sun.com/.../index.html
java.sun.com/.../appserv8-1.html

Do not mix up EJB security  with Web Application Security. As a reference, refere to Security chapter, Part 3 Mastering EJB 3

www.theserverside.com/.../index.tss

I agree with u that u should have ssl over the http for a secure
communication between client and server, and u can do it relative
easy in jboss.
I try to find the part you reffer to: "Do not mix up EJB Security
with web  Application Security".
I only find: "Web application security  is not covered by the EJB
specification but rather J2EE platform specification".
If u read the section "Invoking enterprise  Bean Business Methods" in
the spec. you found "The association is implemented as two related
security contexts, one in the web server and one in the EJB
container. The EJB container  is responsible for enforcing access
control on the enterprise bean method".
Exactly what i descripe in my earlyer reply, end exactly how Jboss
works, the Ejb container force u to have security rolls on your EJB
Methods, if you dont whant it you most explecity say that you dont
whant it.

This is correct, I only talk from RI point of view. I don't know the specifics about vendor implementations. As you mentioning, the concept of EJB security  and method privilages is separate from web  App security. As we had one posting, you can "usually" have it within deployment descriptor (application assembly), but for Web App security it goes far beyond that, and it is with in administrators reponsibilities.

I might have been confused by the original question  as "if implementation of AA is enough for end-to-end secure application" or "was it sepecific to AA (authentication and authorization)".

My understanding was that Mahan is asking if AA is enough for secure web app which the answer  is NO. But specific patterns to implement  AA in JBOSS I take your word for it.

Also the sentence "Do not mix up EJB Security
with Web application  Security" was my own :) you can't find it in the book.

All u wrote is acceptable, but as pooyan mentioned pls. consider that i might not need any EJB security  at all. The thing is that all data encryption that i need will implemented later on. but for now, as my web  app. security is not that important (an average level as many other web apps. on the net) I just want to follow the basic and essential authentication  and authorization  patterns in JBoss.
actually I wrote some JAAS classes to authenticate and authorize users  in some stanalone app using LDAP and RDBMS. but mapping these files in JBoss needs more knowledge.

For a secure environment, its not enough to implement  only authentication  and authorization. you need a secure protocol to perform encryptions, tunnelling and transaction monitoring.

Depending on your remote connectivity nature use protocols like HTTPS, SSL and ofcourse perform whatever cryptography, key signature and certification methods you have handy.

Aside from JAAS (which provides necessary functionality), you need to implement secure network topology. (for this read through how to setup firewalls and become familiar with firewalls and DMZ combinations.

J2EE security  blueprint is a good place to start.