However JAAS is not very OSGi friendly (well, most of the JEE specifications are not, and I'll talk about the others in another post), mostly because is makes some strong assumptions upon the thread context classloader, and this, mainly on the client code. This means the client that uses the JAAS api to authenticate has to have all the login modules available in its thread context classloader. This is usually not the case in OSGi.
So the solution is to use a proxy login module that will be available to all bundles (by using the boot framework delegation package). This proxy login module can use some OSGi properties on the login module configuration to determine the actual class to use and the bundle to load it from.
Using a simple XML schema for Spring, you can deploy a JAAS realm very easily:
<jaas:config id="realm" xmlns:jaas="http://servicemix.apache.org/jaas">
<jaas:module className="org.apache.servicemix.kernel.jaas.config.SimpleLoginModule" flags="required">
This will register a service in OSGi that the OSGi specific Configuration for JAAS will discover and make it available for clients.
Find more informations on the ServiceMix Kernel JAAS doc.