This is an excellent short article that looks at J2EE security in web applications. Frank notes that current frameworks do not integrate well with the tools needed to build secure applications. He goes on to note that the current implementations of having security in the client, controller and business model is not ideal and multiple non synchronised configuration files or repositories are needed. Frank suggests that JAAS is suitable but doesn't implement end top end security. He talks about JSF and its problems of no application security integration and he goes on to introduce Asegi's security architecture.
Frank discusses Asegi framework and the issues of JAAS and discusses the Struts 2.x 'Shale' proposal. Frank finishes with his views of the possible future of this area. Interesting post, again its here.