During a recent discussion about our project's security implementation a friend of mine and I got into a debate on whether JAAS was declarative security or programmatic. I contented that it was programmatic security since at some point your code under security must make a security check within the code. My pal said it was declarative because JAAS is configured by a policy file that was configurable outside of Java code.
I've been trying to understand j2ee security/jass for a week now and still i can't keep the terms straight. I will share my opinion on your question, hoping someone will bring some light.
As far as i understood, declarative security (or container managed security) is handled by the container(DOH!). How it is handled it depends on container implementation.Websphere for example, uses jaas for authentication.The special servlet j_security_check verifies credentials with the help of jaas login modules.So even though you use declarative security, in websphere you are using jass indirectly.Websphere authentication
Programmatic security can be of 2 flavors:
1.Using the request object methods:isUserInRole, getRemoteUser
2.Using jaas login modules
If someone has a different opinion please share some light.