I'm using the predefined security domain other and added the user's with the JBOSS_HOME/add_user.bat Scritpt to the ApplicationRealm.
standalone-full.xml snippet:
<subsystem xmlns="urn:jboss:domain:security:1.1">
<security-domains>
<security-domain name="other" cache-type="default">
<authentication>
<login-module code="Remoting" flag="optional">
<module-option name="password-stacking" value="useFirstPass"/>
</login-module>
<login-module code="RealmUsersRoles" flag="required">
<module-option name="usersProperties" value="${jboss.server.config.dir}/application-users.properties"/>
<module-option name="rolesProperties" value="${jboss.server.config.dir}/application-roles.properties"/>
<module-option name="realm" value="ApplicationRealm"/>
<module-option name="password-stacking" value="useFirstPass"/>
<module-option name="unauthenticatedIdentity" value="guest"/>
</login-module>
Servelt snippet:
@ServletSecurity(@HttpConstraint(rolesAllowed = {"Customer", "VIP"}))
public class LoginServlet extends HttpServlet {