I finally got some time to update Jetspeed security documentation. I still have a little bit of work to do, but I think this is a good beginning and it was badly lacking. Jetspeed 2 fully leverages JAAS for authentication (through the implementation of javax.security.auth.spi.LoginModule) and authorization (through the implementation of a custom java.security.Policy) and provides a flexible security framework with a set of coarse grained services for user management, role management, group management and permission management.
Jetspeed security SPI provides a pluggable authentication and authorization architecture. I found interesting some of the similarities with Acegi as pointed out by Keith Gary Boyce on Jetspeed user list.
For future releases, I am planning to investigate integration with JACC and with JSR 196. Additionally, Jetspeed provides some nice portlets that provide management features for the security framework.