With the current Jaas based setup , we have the PolicyConfig as the holder of the configuration across application policies. But we still rely on javax.Security.auth.Configuration (XMLLoginImpl) since the Jaas framework works off of the Configuration static class.

Now that our configuration should hold both authentication (jaas/jaspi) and authorization info, I am more inclined to use the PolicyConfig object directly because it has been parsed (and can be obtained through a jmx based service or injection in future).

Options:
a) Use the PolicyConfig object to query authentication (jaspi) as well as authorization config. [Jaas can use the default Configuration]
or
b) Build a SecurityConfiguration layer along the lines of Configuration

Option b) does not make sense to me.

Your thoughts/ideas?