JAAS is the be-all and end-all of authentication and authorization APIs. I find it to be overkill for most applications. What's more, it doesn't have anything specific for web services.
The WS-Security standard defines how authentication works for web services. Some time ago I wrote an article in the JavaRanch Journal on how to use it with Axis 2. (There's also an earlier article about Axis 1 which would make good companion reading.)
If you use some other WS toolkit than Axis you'll need to consult its documentation on how to incorporate WS-Security. E.g., the Metro stack has a component called WSIT that does this.
Can you really tell me that we aren't dealing with suspicious baked goods? And then there is this tiny ad: