How to handle Security in a Webapp with a JDBCRealm

Hello everybody

I'm reading a lot about Webapp Security in the Moment and I try to implement this the official way with <security-constraint> and Realms and so on.

I have two parts in my Webapp I need to secure

URLPattern:
/command/admin/*
and
/command/client/*

My Problem is: Can I use different Login-Pages for this two Sections? Something like multiple <login-config>?

Because the login-form for my clients is on the main page of the website. But the login-form for the admins is not there. Or shouldn't be there...

My second Problem is:

I have a mySQL Table for the Client's with Fields like "Id, Name, Phone, username, password" (and yet another table for the adminusers)

When I've logged in, how do I recognize which user is logged in? Because I need this data like Phonenumber etc. Does the Container store the Data from the Usertable in the Session or something?...

Greetings Robert

If you use the built-in security, then you only get a single login page.

You can find out about the logged-in user through methods in the HttpServletRequest, specifically getRemoteUser, getUserPrincipal and isUserInRole.

Are there any tutorials, best practices how to handle security without the built-in way? Because this doesn't fit to my needs.

Maybee with a Servlet Filter?