My question here would be, Do you already have user  profile or are yo asking as how to get user data and how to store it? There are two different aspects into this

one is how to get user profile into your web  application in a secure sensible manner
and the other is how to persist this user profile

If you have already decided as how to establish a secure connection with the web application  client, then the only thing remains; is how to persist user profile into your database. For that you can use on of the existing practices of CMP, BMP, DAO, etc which completely depends on your architecture. but as you are concerned about writing less code, you should have a look at CMP. This somehow needs declarative approach which almost doesn't need any effort from component provider.

JAAS is not for DB connections. It looks to me that you are trying to handle authentication and authorization programmatically. To establish a secure connection you have a set of choices of handling security  declaratively, programmatically or both. all the choices are open to you, all you need to be careful is to follow the ten steps of making secure connections to avoid any hacking and also ensuring privacy.

I repeat my question by sample.
1: the end-user "Reza" Login in sytem.
2: He want to insert one object in database.
3: my database  wants to know who wants to insert this
object.
I want to send  this user.As you know, In Application
server we have connection pool and all the connection
assigned by one user  like "developer".
If I implement JAAS in my project I can find the
web-Applicaion user in my application  server, But I
don't know how database can know that user.My
percistence manager is hibernate.

Hibernate is just a object-relational persistence framework, I see it as a powerful replacement for entity beans so I don't think it's a good idea to leave the authorization to pass all the way through your application  and to be performed by DB, I guess this would be an invitation for hackers to your system. Although J2EE integrates to legacy (thirdparty systems) very well but that would require further support by those systems but I don't see you are taking that approach.

I guess what you can do is:

As the user  logs into the system, (after authenthication) you can create an end-to-end session with user and DB (this needs more discussion); this would be the end of authentication.

From that moment onwards you authorize user over performing certain actions (inserting objects into the DB, etc)

My answer to your question here is, do this either declaratively OR as you are using JAAS, you can get the benefit of isolating your secure system from the underlying security  infrastructure which in your case would be Oracle.You may end up writing some code. I'd say, for more information to see how you can do this, please refer to JAAS and writing LoginModule. (This can be done as part of pre-business logic filters + somepart if done by the containers too)

It's not a good practice to leave the authentication or authorization to domain objects or persistence layer

I wonder what is the best approach to the web  based security. Could you please give me some advise.
Is JAAS overkill? Is HttpSession secure enough?

There're many best practices for securing web-apps in the Java source
(java.sun.com) or others. JAAS is a powerfull/nice way to go but you
have not to implement even a line of JAAS in 90% of cases, you just
use it as your Servlet Container exposes to you. Look for how to
secure web  applications in Tomcat e.g.
Try not to use HttpSession as your application  should handle many
aspects of security  itself. Let alone (if) your container
implementation uses HttpSession/cookies/... to handle the stuff.

JAAS is for authentication and authorization, if user  cridential are shared among pages you need to consider single sign-on to share security  credentials across multiple loginmodules,
httpsession is used for sessions created between web  users and serb servers.
ONLY talking about web tier security; you need a strategy to provide privacy and protection for data from eavsdropping. the exchanged data can be protected by SSL/TLS, JCE or other cryptographic techniques which. (not going into much details) SSL provides the HTTP data security between web client and the server, connection-oriented and end to end connection.
Once data got to the server, you need to validate, authenticate and perform authorization. you have several obtions which JAAS is one of them and most recommended as this matches the J2EE security model.
please note that this was briefly talking about web-tier to web user only. you might have security credentials shared among web components within web-tier and other tiers on distributed/clustered servers that requires other considerations.
your answer is, to provide a secure end-to-end architecture, neither is enough. you need both