Did you define a user.properties file with userid=password? I don't know how it works with apache, but with JBoss (which uses apache) you also have a role.properties file. In there, you define userid=role. Then the role shows-up in the web.xml where you define your protected components. You can say "is user in role" when in your servlet.