In my opinion, the Java EE specifications covering security have been proceeding at a slower pace in comparison to the growing needs of the complex heterogeneous enterprises (Mergers and Acquisitions are happening at a healthy pace).
Recently, I was fortunate enough to participate in a OASIS XACML Panel at the IDTrust 2008 workshop at NIST, Gaithersburg, MD. XACML is certainly a positive step in defining a language for the complex space of access control. Whether xacml is the perfect solution to meet growing complex fine grained authorization needs of the Java EE space, remains to be seen, but it certainly has the goods to meet the current needs. I made a case for extending Java EE specs to incorporate Identity and Access Control needs for the various containers.