What is the XML file you mentioned - web.xml
But that would imply you're using container-managed security
For web apps, I'd generally opt for a home-grown solution that checks login credentials against a DB, and then stores the pertinent details in the user's session. Coupled with a servlet filter that looks at all requests to make sure users are logged in (or redirects them to the login page if not)
So do you think this is more than enough as a security mechanism?
For everything in between there's Mastercard
it's a judgment call.
But what if I need to add a new Role? Do I have to change the XML file again? I think enrolling everything in DB is better.