Amir,
Perhaps you are tripping over type of authentication vs. credential storage. The web.xml file has elements that let you specify not only the authentication realm, but what authentication type to use. This means that you specify where the username and password store is (realm), and how to go about collecting the user's credentials (type).
The authentication types are basic, digest, form-based and client-certificate. Form-based with an SSL connection is probably most common.
For realm, I would prefer to use a directory based lookup, but if your application allows new users to sign themselves up, this may not be feasible (the app would have to bind to the LDAP server with write privileges). The uid's and passwords can be kept in a database, and accessed via
JDBC, which is what you were referring to. Least preferred is a file-based store.
Hope this helps!
Philip Shanks, SCJP - Castro Valley, CA
My boss never outsources or has lay-offs, and He's always hiring. I work for Jesus! Prepare your resume!