One problem I had with JAAS was the lack of standard Callbacks
to be used from logins - we can ask for name/password, but what if we want
to implement cert based auth ?

A similar problem on the other side - after auth, how can we pass the
roles, without inventing our own specific interfaces ?

For the second problem - JBoss has a good solution, just return a Group
( which is a Principal ) with the name "roles", containing one Principal
for each supported role.

For the first - TextInputCallback sounds like a good workaround. Place the
name of the info as prompt, and get back what's needed.

The benefit of those simple ( but hacky ) solutions is that it keeps the
LoginModule independent of a particular container. That's the whole point
of JAAS - to keep the auth code independent.