I'm talking about when you expect it to be empty...
Building your own is fairly simple. Store the username and password (as a one-way hash) in the DB. When the user logs in, hash the entered password and compare it to the stored value. If authentication succeeds, place information in the session stating so. This could be as simple as the user's name, or a more complicated structure with such information as the user's roles and allowed permissions within the application.
A
servlet filter can be set up to check for this session "token". Should it not exist, a redirect to the login page prevents the access to the interior of the web app when not logged in.
A logout or session timeout removes the session token.
Ben Souther set up a simple example:
http://simple.souther.us/not-so-simple.html (near bottom of page).
[ April 08, 2007: Message edited by: Bear Bibeault ]