Can somebody point to me to a good document which explains J2EE Security. I am interested in knowing the complete flow. For example how is the user name and role mapping is done. How is the password authentication done typically. How is it implemented for web components and how is the role passed to the EJBs.