AFAIK you cannot JAAS security policies do not allow you to grant permission depending on the runtime value of a parameter, e.g. a user may edit products that belong to "his" department.
JAAS is not a security implementation. It is an API for interacting with security implementations. Seam can interact with JAAS, but years of experience with JAAS has proven that it is not a very effective API. It works ok for the most basic role-based authorization, but it's too heavy and inflexible to be used directly for the type of authorization tasks we were targeting.
Why did we just Drools? First, keep in mind that you only need to use Drools to implement fine-grained permissions. If you just need simple roles, then you don't need to use drools. A rule base makes sense to implement this type of thing. Everyone on the Seam team knows and likes the Drools guys. Drools works well, and it plays nicely with JBPM, which we also use. We'd always prefer to use standards-based technologies, but where no useful standard exists, we have to pick something.
The good news is that Seam is a very flexible system. It should not be hard for someone to implement support for another rules engine. If there as any interest in that from the Seam community, I'm sure it will happen.
It works ok for the most basic role-based authorization, but it's too heavy and inflexible to be used directly for the type of authorization tasks we were targeting.
What is the authorization type at JBoss Seam you are targeting?
Both simple (Identity, no dependency on Drools, can integrate with JAAS) and complex (RuleBasedIdentity, uses Drools to define authorization rules, can integrate with JAAS).
Drools DOES NOT "implement" security in Seam.