I guess for the SCWCD we just study how to use declarative security, but not indepth of JAAS,though JAAS supports the security configured in the web.xml
in SCWCD I think we just study a bit of only web-tier security and not the web services or ejb-tier security.
In JAAS the components involved are Authenticators,Adjudicators,Authorisers.
Here are some links
http://java.sun.com/j2se/1.4.2/docs/guide/security/index.html contract for containers
http://java.sun.com/j2ee/javaacc/ Correct me If Iam Wrong