Security is always a high priority in application development, and with complex applications the task becomes even more daunting. While the Java EE specification, JAAS and JACC provide a step in the right direction, every application server is free to implement container security differently. Apache Geronimo, a JEE 5.0 certified container, enables storing user credentials in a variety of data stores viz., simple text files, a database, an LDAP server and digital certificates. In this session we see how these data stores can be used to configure application security and how the necessary infrastructure can be run in Apache Geronimo itself. The session presents: a) Prerequisites for PropertiesFile, Database, LDAP and CertificatePropertiesFile realms and shows how to create these realms. b) Advanced features like auditing, lockout after repeated failures, prinicipal wrapping, single-sign-on, etc. c) Configuring Web/EJB/EAR application security. After completing this session, the audience will gain knowledge on their choice of data stores for user credentials, create various security realms and deployment plans necessary to secure their applications with Geronimo.