First u need to set a security  constraint in your web.xml:

<security-constraint>
<web-resource-collection>
<web-resource-name>Laundery Servlet</web-resource-name>
<url-pattern>/restricted/*</url-pattern>
</web-resource-collection>
<!-- can only be accessed by registered mafia users. -->
<auth-constraint>
<role-name>mafia</role-name>
</auth-constraint>
</security-constraint>

<!-- allow any *authenticated* user to access the "restricted" URL -->
<!-- We want to use FORM based login with the login.jsp form. Use
loginFailed.jsp to handle errors -->

<login-config>
<auth-method>FORM</auth-method>
<form-login-config>
<form-login-page>/login.jsp</form-login-page>
<form-error-page>/loginFailed.jsp</form-error-page>
</form-login-config>
</login-config>

<security-role>
<role-name>mafia</role-name>
</security-role>

then in jboss-web.xml u chose login policy: the policy is define in
login-config.xml in jboss-home.
<jboss-web>
<security-domain>java:/jaas/other</security-domain>
</jboss-web>


if u use security on your web  tier jboss  force u to have security on
your ejb to, if u dont use it you get AccessException.
in jboss.xml u chosse policy
<jboss>
<security-domain>java:/jaas/other</security-domain>
</jboss>

in ejb-jar.xml u set premision on your methods in ejbs, in you dont
whant premission on your ejb you cant use <unchecked/>:
<method-permission>
<role-name>mafia</role-name>
<method>
<ejb-name>SicilianLaundry</ejb-name>
<method-name>launder</method-name>
</method>
<method>
<ejb-name>SicilianLaundry</ejb-name>
<method-name>create</method-name>
</method>
<method>
<ejb-name>SicilianLaundry</ejb-name>
<method-name>remove</method-name>
</method>
</method-permission>

<security-role>
<role-name>mafia</role-name>
</security-role>