Thanks. Yes, container-managed authentication would be form-based. But I don't quite understand why you would need an admin to configure the username. You could write an EJB to handle user self-registration, and a JSP
where the user could choose the username, provided it didn't already exist. Registration (unlike authentication) would not be container-managed, but does that mean that you need an admin?
If a user books through the travel agent, the agent's client app. could instruct another EJB to generate a user-name and password and (optionally) send these to the user's email address. The travel agent wouldn't need these to log on, but the user might need them if they later wanted to change the itinerary from the website.
What do you think?