When to use JAAS

I would like some input as to the best security model to use for my existing forum-based webapp. The alternatives I'm considering are using Tomcat's declarative security (DataSourceRealm) or going with a full JAAS implementation. The problem is that I'm not sure if JAAS is a bit overkill for what I need to do.

The webapp is a struts servlet webapp - no EJBs or other tiers (which is why I think JAAS might be overkill)

My webapp is similar to a forum - many of the methods require the userId of the logged in user, for example, to get a list of the posts this user has made to the forum, something like this:

     public List getThisUsersPosts(int userId){ ... }

With the declaritive security model, I was thinking of using a superclass Servlet/action that will obtain the userId and make it available to the servlets/actions that extend it. The first time the userId is required, the super class will have to get the userId from the database based on the username in the request (this is using declarative security). Something like this:

     private int userId = null;
     protected int getUserId(){
          if (userId == null){
               userId = getUserIdFromDatabase(request.getRemoteUser());
          }
          return userId;
     }

The other alternative is to use JAAS to do much of the same thing, but since Ive never worked with JAAS  before, I was hoping someone could tell me if this is overkill or not?

Ive only briefly read about JAAS - I wanted to check if

a) is JAAS overkill for my problem?
b) if I used JAAS could I code a Principle object that would natively hold the userId, so I wouldnt have to use a superclass as described above? i.e could I do something like:      
      ((MyPrinciple)request.getPrinciple()).getUserId();

Thanks for the input!
Start Free Trial