It is not clear whether you are asking for risks associated with (i) writing a LoginModule as per JAAS specification; (ii) using a JAAS based Login Module for an Authentication Server; or (iii)the JAAS mechanism of specifying specific authorizations in a policy file. As with any project, uses of any of these include risks. One thing that I would like to mention is that JAAS based authentication becomes fairly complicated in a client-server environment. (No wonder that Web Apps and EJB Apps do not use it directly -- most of it is hidden by the respective containers). The file based policy specification also has admin. and auditing problems -- but this is not an inherent limitation of JAAS. JAAS allows pluggable implementation of policy database and corresponding provider. For a production envrionment, one should use a good provider.