If you look at the security section of Sun's
j2ee "Blueprints" document you see the concepts of authentication and authorization. Basically, you initial login must authenticate the user (i.e. prove that they are who they say they are). This generally means a call to a data store of some sort to compare the u/p with the db. After this, implementations vary on how to store a flag or login id or the actual user id somewhere for future reference (like checking to see if the user is login before they post to a newsgroup). This is authorization. For
servlets you'd generally use the seesion object for that user or explicitly use a cookie yourself.
Sean
