First off, I'd keep the web password separate (and distinct) from the database password, and not tell the user their DB password. You can have the user log into the web app, and then look up their DB password from some secure storage. (It's more common to have just a single DB user for all web users, but that's a different discussion.)
If you are set on implementing what you describe, you'll need to do something server-specific, because there is no way to access j_security_check info using servlet spec-compliant ways. For Tomcat -which does not allow filtering of j_security_check- you could use a
Valve, or create your own Realm that gives you access to the username/password. (An
article I wrote for the JavaRanch Journal describes the Realm approach.)
[ February 23, 2008: Message edited by: Ulf Dittmer ]