This integration of JAAS authorization into J2EE is the goal of the JACC specification.
For example, you could have your web permissions managed by the JAAS Policy provider instead of being statically defined in web.xml.

I suppose it will be supported by jboss as it is required for J2EE 1.4 containers, but for the moment only the J2EE 1.4 RI (and perhaps the WebSphere early developer release) seems to support this.

Now, about two years later I found this thread and I'm wondering what this looks like today? I'd like to implement something that works almost exactly like what the original poster describes, but I've got a hard time finding info about how to do this, if it is possible with Jboss today.

"ikarpov" wrote:
Hi,
There are Users, Roles, and Rights. Each user has one or more Roles and each Role has zero or more Rights. Speaking in terms of JAAS, these are Subjects, Principals and Permissions respectively. Rights are static and designed into our application code. Users, Roles, Users->Role and Role->Right mappings are all dynamic, i.e. can be changed while the application is running.

Maybe information saved in ldap and a custom ldap jaas module.

Well, saving Users, Roles and Permissions in some sort of storage and then getting them out of there shouldn't be much of a problem. What I'm thinking about is how to say that a certain EJB method requires a certain Permission. There is @RolesAllowed but I haven't found anything like @RequiredPermission. If I make my own anotations for it, what would I need to hack to check against them?

The jacc integration aspect. When I get around to updating the out of date jaas tutorial to cover ejb3 I will look at what is needed in more detail.