I'm building a webapp that needs to be authenticated from an existing user database, and I'm trying to decide whether to implement this authentication as part of the webapp itself or as an extension to the web container. I'm wondering if there are any design patterns that might be relevant, or if anyone has any experiences, wisdom, warnings, or opinions on the matter. The considerations/doubts I have so far are: - portability/reusability scenarios, eg. moving the webapp to a different container, using the same authentication in a new webapp. - if some of the information about the user is relevant and meaningful only within the application, is it an argument for making the authentication part of the application, or is it an argument for separating application-related user info from authentication-related user info? - To what extent is it consistent with J2EE's container model and J2EE's view of separation of roles for an application to do its own authentication?