Sonatype just released Nexus 1.0-beta-5 where the most significant change was the addition of the RBAC and authentication system based on JSecurity. It's pretty amazing how fast the Nexus team integrated JSecurity. In 4 days we got the first integration done that was working. Yes, 4 days. At the end of our iteration, a week after we started, it was pretty much fully working. After two weeks we were completely done integration and testing JSecurity.
JSecurity is currently in the Apache Incubator but that should in no way deter you from using it. The architecture allowed us to override everywhere we found it necessary, and the JSecurity team turned around fixes on almost a daily basis which is also pretty amazing. We will definitely be integrating JSecurity in the rest of the Sonatype products. I highly recommend JSecurity for your application if you require a complete security solution. Thanks to Les Hazlewood of JSecurity for giving us advice, though it's so good we probably didn't need your advice :-)