1. I don't need declarative security, because our application is ajax based
2. I need JAAS, because I'd like to use it with ejb
3. The only option I see (setting aside some perverse methods including servlets, redirects and j_security_check) is to do login stuff manually.
So, now I'm struggling to implement a method:
void authenticateUser(HttpServletRequest, long userId, String role)
LoginContext lc = null; lc = new LoginContext("Sample", new MyCallbackHandler()); lc.login();