I think the advice to "not roll your own" is usually in regards to encryption. Other security stuff is more reasonable to take on yourself; I'm not sure it's more likely that you'll use someone elses AuthZ framework any more correctly than you'll implement your own.
Yeah, I'm finding that I also need to understand authentication well enough that I COULD implement it, just to safely and correctly use someone else's implementation.
