I'm using godaddy for my java hosting using shared tomcat package. Now because it it shared i cant opt for jaas. Just how do other jsp websites authenticate and authorize customers for his or her site whether they can not implement jaas? Will they handle all of the mechanism themselves or perhaps is their another better mechanism?

Thanks ahead of time.

You will have to handle security in your application. Spring Security and Apache Shiro would be the logical options both can be mounted as filters inside your web.xml and possess AOP support. Spring Security particularly has arrived at an amount of maturity where lots of people utilize it instead of container security, even if you will find no road blocks like your own house experienced.