Hi I am look for a proven java security web-library which is a bit more low-level and therefore less intrusive than the well known frameworks spring-security and apache shiro.

Just something which has best-practive utility-apis for example to encode a remember-me cookie or for dighest authentication, accessing ldap. All the sutff which is so useful in the above frameworks but without needing to follow the frameworks filters and indriections an application-context or yet another ini file etc.

Well, you can always use the HttpServletRequest.login() method or j_security_check and implement an auth manager beneath it for your particular server, that's pretty much the default & low level standard thing... Your only real other choice is, as you mentioned, security frameworks.

Have a look at the Apache Shiro project it does a lot more then the standard libraries, and makes it really easy.

If you don't want to use either of one, use container-managed security which both Tomcat and Jetty provide.