Based on what you have said, I can only assume that you are very new to web security in Java. And based on that, I can pretty confidently predict that if you attempt to create your own login/security system, it will be very insecure, since most "expert" Java web developers do, based on my years of experience. Most user-designed security systems have major holes in them such that unskilled non-technical users can bypass security in under 15 minutes, based on what I've seen.
The J2EE standard container web security system has several advantages.
1. It was designed by people who were full-time security professionals, not someone who was told to "write this app - and while you're at it, make it secure".
2. It conforms to best practices in security, such as never volunteering information that could help an invader break in.
3. It is a standard system, so anyone competent with J2EE can sit down and work with it and even find books about it. One-off systems almost never have that advantage.
4. The container-based security system is the ONLY system that can use the security definitions that you code in web.xml or via the J2EE security methods such as "isCallerInRole". No user-defined security system can tie into them. At least not without doing serious violence to the server/application architecture.
5. This is a system that has been used for many kinds of apps in many places for well over 10 years. If it has ever been broken, I haven't heard about it. It has withstood the
test of time virtually unchanged.
One of the things that sounded odd in your original question had to do with some sort of login "dialog". Web applications have several choices on how to prompt for login security credentials. BASIC login causes a dialog to pop up on the client's screen, but the client application (browser) is solely in charge of presenting that dialog and in making it go away, as well as sending the credentials to the server. FORM-based login presents an actual web page (form), uses the j_security_check pseudo-action and does not pop up any dialogs. FORM-based login is considered more secure than BASIC login. Also BASIC logout can be difficult, often requiring the user to terminate the browser to log out, whereas FORM-based logins are terminated by simply invalidating the HttpSession object.
In any event, web applications are not processed in the same way that non-web applications are. There is no protection for methods as such, only for URLs, since the client can never directly call the server methods, only transmit HTTP requests that cause control to be routed to application code. While you can use JAAS as a plug-on for container authentication, the actual authentication process is still exactly the same as it is when you're using databases, LDAP/Active Directory, XML "tomcat-users.xml" or any other possibly more exotic authentication reference (including Single Signon services).
I think, in short, that what you really need to do is look at some good books on J2EE and Java Web Security. Also, be warned that a LOT of basic J2EE books cover how to work with the container security system and then promptly invalidate what they have taught by using "login screen" examples using user-designed security. I wish they wouldn't do that.