This week's book giveaway is in the Other Open Source APIs forum. We're giving away four copies of Storm Applied and have Sean Allen, Peter Pathirana & Matthew Jankowski on-line! See this thread for details.
JAAS is the be-all and end-all of authentication and authorization APIs. I find it to be overkill for most applications. What's more, it doesn't have anything specific for web services.
The WS-Security standard defines how authentication works for web services. Some time ago I wrote an article in the JavaRanch Journal on how to use it with Axis 2. (There's also an earlier article about Axis 1 which would make good companion reading.)
If you use some other WS toolkit than Axis you'll need to consult its documentation on how to incorporate WS-Security. E.g., the Metro stack has a component called WSIT that does this.