Timothy, you rock!
Not me... These are the guys that rock... http://docs.safehaus.org/display/TRIPLESEC/Team
Anyway... While I'm not Mr. JAAS, I would like to point out that Guardian uses a subclass of the JAAS Krb5LoginModule to perform authentication and that it returns a SafehausPrincipal, which is a specialized subclass of the JAAS Principal. The SafehausPrincipal exposes the authenticated user's authorization Profile for the given application with which to apply RBAC.