Apache Redback started as an attempt to clean away some of the more annoying security related components of web applications and centralize them into a simple to use framework. Some of the basic beliefs we started with where that authentication, authorization and user management were all basically seperate concerns, sure there are points where they rub up against each other but those are pretty clear points and not worth mashing up whole discrete concepts together.
Redback supports a number of authentication mechanisms, and a couple of authorization schemes including an implementation of role based access control. Redback has been built on top of the plexus container so it is simple to have the core security system object into your code for making authentication, authorization or user management tasks through its api.
Apache Redback is currently being used for providing a consistent security related user experience to Apache Continuum and Archiva.