I am working on a web application. Registered members of the web site fall into mutually exclusive four different roles - contributor, editor, advisor, and administrator. The number of contributors could be hundreds and they are directed to Page C and go forward from there. The number of editors would be less than 15 and they are directed to Page E and go forward from there. The number of advisors would be less than 5 and they are directed tp Page A and go forward from there. There are a couple of administrators and there is no restriction for them to access the resources. All registered members are kept in a database. The database has their name, password, role, etc. My questions is regarding the security checking when a member submits the LOGON form: Should I read in the logon information, check against the database, get his/her role from the database, and direct him/her to the proper web page? Or Should I use the <security-constraint> <login-config> and <security-role> tags in the web.xml? I am confused. Please help to clarify my thoughts.
You should implement a custom authentication module that authenticates the user against the user database. The same goes for the role mapping: you should create a custom role mapper. In the web.xml you should indeed assign roles to resources, but the actual authentication, and the actual role mapping (user X has role Y, or roles A,B,C) should be built custom. Exactly how depends on your container. Maybe your container already has custom implementations for DB authentication and role mapping, maybe not. You are not the first with this problem, so look around :-)