Hi Jaikiran,
This is my interpretation.
Suppose I only want an administrator to have access to the page "fileimporter.jsp"
Consider the following code from the web.xml file:
It limits access to the page to role "Admin" that is defined at the application level . elsewhere in the config ,the role "admin" is tied to a Principal that the person has to log in as.
This is all handled without ever touching a database.
The application will check at the application level via JAAS whether the current user has been authorized as being in the role "admin".
The database is never touched. The application will not serve up fileimporter.jsp unless JAAS says "yes this person is currently in the admin role".
Doing it via a database , the page isn't necessarily filtered to not be served . A
servlet has to check a session variable that is set via a db query and passed around the application .
There is more opportunity for it to be hacked.
-Paul