First, I refer Java official document to implement an application (not web application) for understand mechanism of JAAS. 
You need to add following VM arguments when you run this application:
-Djava.security.manager -Djava.security.auth.login.config=D:/jaas.config -Djava.security.policy==D:/my.policy
 
In brief, we need following steps for complete this application:
1, Implement a RdbmsLoginModule class for authentication a user who save in RDBMS;
2, Validate some authentication information (in general, use username and password) by our custom CallbackHandler class, and judge right of user in login() method of LoginModule;
3, Add a "Principal" object or many "Principal" objects to subject of certain login session for presentation permissions of user in commit() method of LoginModule;
4, Define a policy file for mapping principals and operations;
5, Execute operations by doAs() method or doAsPrivaliged() method of Subject class for check permission of principal(s).
 
Related references:
LoginModule Developer's Guide:
http://java.sun.com/javase/6/docs/technotes/guides/security/jaas/JAASLMDevGuide.html
JAAS Authentication Tutorial:
http://java.sun.com/javase/6/docs/technotes/guides/security/jaas/tutorials/GeneralAcnOnly.html#SampleLMPrincipal
JAAS Authorization Tutorial:
http://java.sun.com/javase/6/docs/technotes/guides/security/jaas/tutorials/GeneralAcnAndAzn.html
Default Policy Implementation and Policy File Syntax:
http://java.sun.com/j2se/1.5.0/docs/guide/security/PolicyFiles.html
 
===============================================================================================
In Java server side, I was supposed we use BlazeDS (an open source project from Adobe, for integrate Flex and Java enterprise application server) for support Flex remote call, and I have complete login function.
In fact, a Flex remote call is based on HTTP/HTTPS, so I think we are able to use HttpSession to save user session, 
 
Related references:
BlazeDS official website:
http://opensource.adobe.com/wiki/display/blazeds/BlazeDS/
 
===============================================================================================
Unfortunately, it seems that the authorization's implement of JAAS is difference approach in different middleware platform, even different version. for example: Tomcat 6.0.X is different from WebLogic.
 
According to description of Tomcat's official document, we need to do following steps:
 
------------------- refer to Tomcat official website -------------------
 
To set up Tomcat to use JAASRealm with your own JAAS login module, you will need to follow these steps:
Write your own LoginModule, User and Role classes based on JAAS (see the JAAS Authentication Tutorial and the JAAS Login Module Developer's Guide) to be managed by the JAAS Login Context (javax.security.auth.login.LoginContext) When developing your LoginModule, note that JAASRealm's built-in CallbackHandler only recognizes the NameCallback and PasswordCallback at present.
Although not specified in JAAS, you should create seperate classes to distinguish between users and roles, extending javax.security.Principal, so that Tomcat can tell which Principals returned from your login module are users and which are roles (see org.apache.catalina.realm.JAASRealm). Regardless, the first Principal returned is always treated as the user Principal.
Place the compiled classes on Tomcat's classpath
Set up a login.config file for Java (see JAAS LoginConfig file) and tell Tomcat where to find it by specifying its location to the JVM, for instance by setting the environment variable: JAVA_OPTS=$JAVA_OPTS -Djava.security.auth.login.config==$CATALINA_BASE/conf/jaas.config
Configure your security-constraints in your web.xml for the resources you want to protect
Configure the JAASRealm module in your server.xml
Restart Tomcat 6 if it is already running.
------------------- end -------------------
 
I think that it is not a nice approach if we configure some permission strategies in web.xml file. And other side, some documents tell us, WebLogic has custom module, and JBoss has another module too. These information show that authorization part of JAAS framework is not easy migration.
 
Related references:
JAASRealm of Tomcat:
http://tomcat.apache.org/tomcat-6.0-doc/realm-howto.html#JAASRealm
Security on JBoss:
http://docs.jboss.org/jbossas/admindevel326/html/ch8.chapter.html