We use this approach to do Authentication and Authorization, I think it is a good approach so far. Since I use database to store the security info, I can modify it at run time. In addtion, this approach did not tie to any vendor product, so this will work no matter I use Tomcat or other web container.
I just wonder what's the advantange of using the J2EE Security mechanism describe in HFB ? (I found there are many vendor-specific configs, like setting tomcat-user.xml ....).
Could anyone share your experience of how to implement your webapp security ?
Or, is it possible to INTEGRATE both both of them (The one I use and one described in HFB) ?