javax.security is imho overcomplicated API. As a result there are implementors of not only LoginModules, but the entire authentication and authorization api, that creates abstraction layer above, like Authentication & Authorization managers.
For starters, it is good to print **[this][1]** into your memory.
Secondly, imho the most simple, setup & go library for JAAS is Jboss [PicketBox][2]. It says how to do authentication and authorization via JBossAuthenticationManager and JBossAuthorizationManager ... Easily configurable via XML or Annotations. You can use it for managing both webapps and standalone applications.
If you need the authorization part for managing repository access, in terms of ACL for resources, this is what you are looking for sure.
Problem with the security is, that usually you need to customize it to your needs, so you may end up implementing :
**LoginModule** - verifies userName + Password
**CallbackHandler** is used like this `new LoginContext("Sample", new MyCallbackHandler());`
CallbackHandler is passed to the underlying LoginModules so they may communicate and interact with users - prompting for a username and password via a graphical user interface, for example. So inside of the Handler you get the username and password from user and it is passed to the LoginModule.
**LoginContext** - then you just call lc.login(); and authenticate the credentials. LoginContext is populated with the authenticated Subject.
However Jboss picketbox gives you a really easy way to go, unless you need something specific.
[1]:
[To see links please register here]
[2]:
[To see links please register here]