Authentication&Authorization

Hello friends,
I�m developing an online stocks trading app,where in users will register with the broker ,deposit certain amount and place sell or purchase stocks request.If the deposit of a user is falling short of processing a sell request,an email will automatically
be sent to the user to update his deposit.Credits Card numbers will be used to make payments.
To implement authentication and authorization I thought of using declarative security i.e.
I�ll have all users with their username,pwd and rolls defined in tomcat-users.xml and I�ll define all constraint resources ,rolls who can access these resource,etc.in the Deployment Descriptor. But the problem in implementing this is that whenever a new user registers ,I�ll have to put him in the tomcat-users.xml and redeploy the app.
I also thought of sticking a dbase connection object in ServletContext and later on use it for authentication and authorization ,but I think this would be time consuming with respect to coding as well as response time of the app.

In what way are users authenticated and authorized in actual web app?

And how should I go about developing the app I mean should consider security aspects before I start or simultaneously with or after coding ?

cheers,
Poonam

This is more of a tomcat specific questions as every provider implements their Authentication differently, you access them via the same API in your servlet if you container managed security, but the implementations are completely different.

check out Tomcat relams

The database solution is quite common. It is non-trivial to build, but the runtime overhead is usually not a problem. It's also common to map a user to 1..n groups and a group to 1..n rights, with an API like hasRight( userName, right ), e.g. hasRight( "Poonam", "sell" ).

LDAP is often used instead of a database because it offers fast read-mostly access. Google for LDAP security or ACL (access control list) and see what you find.

For a real life trading app (not a school exercise?) I'd get a pro involved. I might build something secure enough to keep honorable gentlemen from reading each other's data, but keeping hackers away from serious money is a different story.