JAAS and functional security ?


I've always liked JAAS as it provides for a pluggable login mechanism. The exact same code is used for login to LDAP, NT, Kerboros, passwd files, Propertiary system A, B, C etc. That's beautifull ;)

The only thing i'm really missing, is to find good usages of the SecurityManager, Subject, Prinicipal and Credentials classes/concepts. I can find loads of articles talking about the pluggable architechure, the ClassLoader protection and encryption support of JAAS - but no real articles about how one would go about doing something like:


   public List findDrugs(x,y,z) {
      checkPermission("MayFindDrugs");
      List drugs = performSearch(x,y,z);
      foreach drug in Drugs {
         if(drug.isNarcotic() && checkPermission("MayPrescribeNarcotics")) {
            result.add(drug);
         } else {
            result.add(drug);
         }
      }
   }


In other words - how would one setup JAAS and all its "cousins" classes, policy-file etc. to provide
FUNCTIONAL security ?

Also the current file based policy system seems to restrictive, simple and unmanageble, isn't there
any good example of a good, clean and flexible policy "provider" ?

And is JAAS the right tool for the job ? (I hope so as it seem to have all the needed parts...)

Maybe I'm just not seeing the forrest for all the trees - but I just can't seem to find it....maybe I don't got
the right Credentials yet ? ;-)