Is there any chance you can migrate this data to LDAP? If you put users/roles in a LDAP server, such as OpenLDAP, active directory, secureway, you can use the LDAP "User registry" in Websphere App Server.
In your webpages and servlets, you would still be able to do isUserInRole()..., because this interface goes through the JAAS layer. It's transparent to the programmer. If you later migrate to LDAP, you don't need to change apps, but rather how users/roles are stored.
A lot of developers (including me!) wrote their own "JAAS layers". It's meaningless to run an app server and write these layers yourself.
hi, i think you should have a look towards jGuard (http://sourceforge.net/projects/jguard). this secrity framework enables a JAAS(RBAC principle) integration into a j2ee environment. the upcoming (scheduled to the end of th week) 0.63 release will enable an RBAC management through databases (Oracle, PostgreSQL or mySQL), for the authentication purpose. the authorisation part through databases will come into the 0.64 release. authentication and autorisation parts can be configured also through Xml files.