The Security configuration and programming model has been much simplified with Java EE 5 and especially with the general introduction of Annotation. The Annotation has reduced significantly the XML cacophony. But in some cases declaring thing external from the source code is good, and an example of that is Security.
So lets start with an easy EJB and use standard Java Enterprise Bean Security Annotations , but we will also use JBoss specific JAAS Security Annotation. Later on we will test that we can override these values by declaring security on the EJB deployment descriptor ejb-jar.xml (Java EE) and jboss.xml (JBoss Container Specific)
NOTE: Do not use JNDI prefix java:/jaas in the SecurityDomain annotation.
NOTE: SecurityDomain has since JBoss 5.X changed package name, if you are using JBoss 4.X it is org.jboss.security.annotation.SecurityDomain.
In our first example the deployment descriptors can be quite empty.
NOTE: Since JBoss 5.X the JNDI prefix java:/jaas is now optional, but left for backward compatibility.
And finally we will have to define our security domain in $JBOSS_HOME/server/$CONF/conf/login-config.xml.
Now lets get started with overriding these security settings with the deployment descriptors. The two deployment descriptors are quite open and writing of them can be done in different ways. But I use these guidelines, for hopefully making things a little more simpler.
Try to use the generic ejb-jar.xml as much as possible. And only put specific container configuration in the jboss.xml.
And changing security is a Java EE feature so declaring security is done in the ejb-jar.xml file.
 Java EE 5 Tutorial: http://docs.oracle.com/javaee/5/tutorial/doc/bnbyl.html
 JBoss Security FAQ: https://community.jboss.org/wiki/SecurityFAQ