Advantage of JAAS is that it deeply integrated into JEE. EJB3 allows you to have method access security, Seam gives you isUserInRole, userPrincipal components, Tomahawk gives you attributes to disable/hide the JSF component and probably some more which I'm unaware of :). The one thing I haven't seen is a nice way of authenticating using a Seam component.
It is a bit difficult getting JAAS set up, but once all the xml files are correct it does 'just work'; there is a security example on the wiki which should get you going (be careful to put all the xml files in the correct archive and in the correct place (META-INF or archive root)).
Thanks, I'll give that a try. It would be disapointing to have something as modern as Seam and then have to write a dumb old filter again. Also I do want fine-grained security. Like I might have a changeCreditLimit() method, and only an Admin should be able to call that. I know that JAAS can manage stuff like that. So I'll grind through whatever XML madness I need to do to get it working.