I personally use Spring Security for this. Spring security makes it easy to use various authentication and authorization schemes (for example, by checking the main / digest headers from an HTTP request based on a database or an LDAP server). It's not difficult to configure with JAX-RS , and it also has an excellent aspect-based rights system where you can do things like
@PreAuthorize ("hasRole ('ROLE_ADMIN') or order.customer.username == user.username) deleteOrder (order order);
which guarantees that the authenticated user must either be in the ROLE_ADMIN group or be the owner of the order to allow it to be deleted,
, , JAX-RS, - Spring (fx., WebApplicationException, )