I use declarative security for small apps.
For larger things, I usually end up writing my own as the login involves fetching and setting up a lot of things.
You can, with
Tomcat create
JDBC realms to allow you to use declarative security with a database.
http://tomcat.apache.org/tomcat-6.0-doc/realm-howto.html [ May 14, 2008: Message edited by: Ben Souther ]