Asking about security in jBPM5 framework is like asking about security in xstream or log4j. They are frameworks that you use inside your applications. Your applications are in charge of the security, but not the framework itself.
Now, if you are asking about Human Task Server in jBPM5, then Adam Bach's answer can help you.