You can use all those frameworks. jBPM does not rely on any authentication framework in particular. Make the authenticated user known to jBPM after the authentication using the JbpmContext.setActorId() method.
I am doing that (settng the authenticated user id with JbpmContext.setActorId())
However, when I pull the logs, the actorId field is always null. I've combed through the source, and I don't see anyway to record the current authenticated actor in the log record (i.e., ProcessLog).
For example, I need the log to reflect the user who (for example) completed a task instance, started a process instance, etc.
Thanx for any help.
I've thought about authentication and authorization.
It seems you can usually protect the system using authentication module for the existing application (e.g. JAAS, ACEGI). But, if you are developing a highly sensitive system, you may want to add an additional layer of security. With the additional layer, if someone can connect to the system and has processId's (highly unlikely), you can prevent the system from unauthorized activity.
In general, it seems you don't need the authentication and authorization that comes with jbpm. My 2 cents.