If this is one of the best ways to authenticate a user in Java EE 6.
Are there any good reasons to use JAAS in authentication/user login? Talking about package:
javax.security.auth
JAAS application to a simple webapp isn't trivial so that's why I'm asking. Here is an example.
It might be needed for authorization anyways.
If you're going to rely on the container to enforce authorization through the use of @RolesAllowed annotations, then the answer is yes, you will need JAAS.
As to whether it is complex or not, it really depends on the LoginModule implementation that you'll be using. Containers do come with LoginModule implementations out of the box, especially to authenticate against identity stores like files, LDAP servers or databases. If that is all you require, you could be using those instead of wiring up your own implementation.
If you really want to write a LoginModule like Antonio Goncalves has done, you'll need to understand the role of a LoginModule and JAAS. His module uses the CustomerService built into his app during the authentication process. The module simply looks up the CustomerService bean through the CDI BeanManager and delegates all authentication requests to the findCustomer(username, password) method. A LoginException is thrown if no customer is found for the provided credentials.