nothing - uses the user/password specified in -ds.xml for DataSources or the getConnection/createConnection method without a user/password (the default).

<application-managed-security> - uses the user/password passed on the getConnection or createConnection request by the application.

<security-domain> - uses the identified login module configured in conf/login-module.xml.

<security-domain-and-application> - uses the identified login module configured in conf/login-module.xml and other connection request information supplied by the application, e.g. queue or topic in JMS.