You can make some assumptions about this. Firstly what type of security is your application and web interface providing ? LDAP ? credentials in database tables ?
The answer to your question depends on the type of security. Some containers use JAAS internally and only require that you use JAAS when operating on a fat application client. Can you elaborate more on your security ? [ May 29, 2007: Message edited by: John Meyers ]
I think your attitude is very promising. I am working in the same direction. Probably the best solution would be to keep users and credentials in the database. The question is how is it possible to build a JAAS LoginModule? In my opinion the LoginModule must -look up in the database -AND create kind of SFSB for the session state management.
Is it feasible / practicable? Who has an example of such a LoginModule?
The other possibility could be an Intercepting Filter like in Petstore. The main drawback of this solution is that it is not possible to use this functionality for a Java client. It works only for a Web client.
Any comments are highly appreciated. Francesco Bianchi