yes i develope custom JAAS and use JAX-WS in developing web services
but because of lack of tomact for handling WS-Security, i extend the tomcat securty manager, and add another type of auth method called it "wsse"
and custom authintacator that check incomming soap message and integrate with configured JAAS relam, that populate user principles and let the web container to manager security for web service
but i'm now, relize that this approche is not standard and should be another one that fit is this case
so, how can i use metro for securing web service to support userToken or saml token