What is the relationship between a servlet container's use of Container Managed Security and JAAS (if any)? For instance if I am coding security around several servlets, I'd just set up all the protected resources in web.xml and configure my users, passwords and roles in a database (assuming JDBCRealm).
So does JAAS have anything to do with this or is it mostly only used from heavy clients (like Swing) and not from web applications?
Tomcat authentication/authorization model is not made on JAAS. It is a simple role based access control model. The authentication is pluggable through the means of Realms. Authorization is specific to roles retrieved during authentication and checking the access based on it.
JAAS on the other hand defines authentication based on pluggable login modules(similar to tomcat) and the authroization is based on a policy file. This may be used to define role based access control, source code based control(classes in one jar file is allowed to do something and classes in another jar file is not), etc.
Infact, there is a facility to use a JAASRealm with tomcat but the relationship ends after authentication. Tomcat uses its own authorization process. [ July 01, 2008: Message edited by: Nitesh Kant ]
the web.xml specifies the developers view of the security constraints which apply to the application. the container is free to implement them in whichever way it sees best. some, like websphere, use jaas internally to implement these security constraints. if all you care for is that the security guarantees in your web.xml are met, you need not bother about jaas.