TAI lets you write a custom authentication mechanism that can let you do things like redirect to an external login page, check some success token and assert a principal on the request.
I think it only happens for unauthenticated requests, but it sounds like 196 happens every request.
IMHO, the TAI interface looks significantly cleaner. It takes a request, response and the status is all returned in a TAIResult object which contains a status ala AuthStatus as well as a location to assert the principal.
The spnego example for 196 seems to push and pull and a lot stuff into a lot of places in the messageInfo and clientSubject as well as returning the appropriate AuthStatus.
Just seems like a lot of moving parts... anyways...
I was trying out a small 196 implementation, but I got a little stuck on the configuring the application piece.
In your blog, when you said "sun-web-app.xml", did you mean to say "sun-web.xml"?
Could you provide a sample of what "httpservlet-security-provider attribute" should look like?
I can't seem to find an example anywhere and I keep getting:
"DPL8007: Invalid Deployment Descriptors element httpservlet-security-provider value MySAM"
[Message sent by forum member 'brian_of_fortent' (brian_of_fortent)]
http://forums.java.net/jive/thread.jspa?messageID=269073