If you would like learn more about the JavaEE5/GlassFish security topic, 
please check Jagadesh Babu Munta’s blog post about the issue. Here is some part of his post :
It useful to have a reference for all GlassFish application server related information. Here is what I could collect now ( as part1)!
The security startup information is easily found at Security FAQ – https://glassfish.dev.java.net/javaee5/security/faq.html
Few other document resources
- GlassFish Project – Security home page – https://glassfish.dev.java.net/javaee5/security/
- GlassFish Security Configuration Guide – https://glassfish.dev.java.net/javaee5/docs/AG/ablnk.html
Technical tips/articles
- Using SSL with GlassFish V2 - http://java.sun.com/mailers/techtips/enterprise/2007/TechTips2_Nov07.html
- Key Management and PKCS#11 Tokens in Sun Java System Application Server 8.1 - http://developers.sun.com/appserver/reference/techart/keymgmt.html
- Adding Authentication Mechanisms to the GlassFish Servlet Container – http://blogs.sun.com/enterprisetechtips/entry/adding_authentication_mechanisms_to_the
- Using Security Annotations in Enterprise Beans – http://java.sun.com/mailers/techtips/enterprise/2007/TechTips_March07.html#2
- Accessing a Secure Enterprise Bean From a Java Client or Through Java Web Start Technology - http://java.sun.com/developer/EJTechTips/2006/tt0225.html#2
- Authentication Using Custom Realms in Sun Java System Application Server – http://developers.sun.com/appserver/reference/techart/as8_authentication/index.html
to read more click Jagadesh Babu Munta’s blog post.
