I am going to write a thesis about JAAS with the goal to evaluate the use of JAAS on different business applications based on the authentication.
Thus that in JAAS the authentication is made independently from the application, its not appropriate to use JAAS on every business application.
For example some applications needed the user looged in, but JAAS returns only true or false dependent on the user, if he is able to use the application or not.
So could you please name me good literature which describes when to use JAAS for which kind of application.
A more enquiring mind would at leaast have wondered why it is called an Authentication and Authorization service, if all it does is return a single bit. I suggest you should do your research before deciding whether or not JAAS is useless instead of afterwards. JAAS login modules populate the Subject with Principals representing roles the user occupies, which in turn authorize him to use the corresponding parts of the application. It isn't as simple as a single bit indicating whether the user logged in or not.