This week's book giveaway is in the OO, Patterns, UML and Refactoring forum. We're giving away four copies of Refactoring for Software Design Smells: Managing Technical Debt and have Girish Suryanarayana, Ganesh Samarthyam & Tushar Sharma on-line! See this thread for details.
JAAS is the be-all and end-all of authentication and authorization APIs. I find it to be overkill for most applications. What's more, it doesn't have anything specific for web services.
The WS-Security standard defines how authentication works for web services. Some time ago I wrote an article in the JavaRanch Journal on how to use it with Axis 2. (There's also an earlier article about Axis 1 which would make good companion reading.)
If you use some other WS toolkit than Axis you'll need to consult its documentation on how to incorporate WS-Security. E.g., the Metro stack has a component called WSIT that does this.
I’ve looked at a lot of different solutions, and in my humble opinion Aspose is the way to go. Here’s the link: http://aspose.com