Actually, if you want transparent access control, it's not the presentation part that's of concern, it's the authentication framework. In other words, what's really meant here is Container Based Authentication being used with an authentication Form as opposed to a Dialog or other request for credentials.
And, as far as this being server-dependent, container-based authentication is part of the
J2EE standard as expressed in the schema (formerly DTD) for web.xml. I know of no modern server, be it simple (Tomcat, Jetty) or full (WebLogic,
JBoss, WebSphere or JOnAS) where you would be obliged to make any mods to the deployable
unit when you ported the app.
Different appservers have different ways (often multiple ways) to configure the container's authorization configuration, but that's an operational concern, not a software design consideration.
As a matter of fact, at the moment I'm in the process of converting our apps from container-based database security to container-based Active Directory security. The only changes that I've been forced to make to the apps are those where the original design used foreign keys on the application schema to refer to user definition tables now being replaced with LDAP entries. Which would be an issue whether we'd used container security, wrapper security (filters), or security coded internal to the apps.
I do make one qualification to this assertion. In Tomcat4, I discovered that it wasn't a good idea to include external references (CSS, graphics, etc) on the login forms themselves, since the diverter wasn't handling them properly. So my login pages are all self-contained.