I have spend quite a number of months on this JAAS topic already, but at last I am still failed to configure it on the web project. I have been trying so hard to get it work, and have read tons of resources on the configuration, and now I damn tired with this JAAS (on the web). During this experiment, I found out that JAAS is just a low level security framework to secure the resources beyond the web application level. It just too low until the level that I am require to configure it in the server. Frankly speaking, such a low level configuration isn't my favorite due to its maintenance effort.
Take for example, I'm required to put the following code in catalina.policy under <tomcat_dir>/conf:
I found this is so not programmer friendly when come to development. Anyhow there is a workaround, put the following code inside the Eclipse's server launch configuration under the VM arguments:
Launch the server will see my expected login page, type in the correct username and password, the browser will redirect me to HTTP Status 403 - Access to the requested resource has been denied.
What else do I miss configure? I think I will just forget about JAAS thing since Spring Security can achieve my objective easily.