Both EJB and JAAS offer mechanisms where you can stop some users doing certain things.
In EJB, you can annotate business methods and in JAAS you can configure Principal's privileges in policy files.
I am trying to get into my head the differences between authorisation in JAAS and authorisation in EJB.
How about this:
1. The JAAS, anything that requires privileges is put into a class which implements the java.security.PrivilegedAction. This means that some code that isn't even an EJB can have some it's priviledges restricted.
2. In JAAS the range of privileges are defined by the security model. They consist of things like file access, reading certain system properties etc. The EJB security access doesn't have any configuration for things like file access or reading system properties. You'd have to put the parts of your code into methods that did this and then annotate those methods.
3. In EJB the authorisation consists only of whether it is permissable for a user to execute a certain method or not. JAAS doesn't provide this out of the box. I think you could check the principal at runtime and then write some if / else logic but it doesn't come out of the box.
Correct me if I am wrong on any of the above and feel free to add any key conceptual difference between the two I have missed.