Well i followed the JAAS standard. But there is a problem though. In Tomcat, i can have different Principal class for both my Principal and Roles. But when comes to JBoss I should have different class to represent the roles for my principal.
In short, It looks like i can have or reuse the Principal class across all the server (Atleast for JBoss and Tomcat).
But when it comes to authorization, we need to have custom (Container specific class) to represent the roles.
I think this is where the Spring Acegi security comes into picture. Which promises to use the same JAAS module across all the container. SPring uses its own class called GrandedAuthority to implement roles.
I never tried on Spring Acegi security, but my above understanding is based on my theoretical knowledge.