single sign-on. But if you don't have a SAML authentication authority, then you probably don't want to use SAML.
Can I use SAML for just Authorization Authority ?
But you don't need to use either SAML or WS-Security to implement authentication or authorization. There are a number of authentication mechanisms that you can use: HTTP Basic, HTTP Digest, SPKM (X.509 certificates). The challenge that you need to solve is mapping these transport-level authentication mechanisms to a security principal within your environment. You will need to implement a transport-level interceptor to capture the authentication information and map it to a principal. Then you need to carry that context with your request until you get to the service dispatch point, at which point you can use JAAS to determine if that principal is authorized to access the requested service.
You also don't have to use JAAS. Any proprietary API would work also.
Best regards, Ricky
