The easiest way to do that is if you're using the
J2EE standard container-managed security system. Under that mechanism, you simply add the URL
pattern to the web.xml security context and define a suitable role for users who are allowed access to those files. You can then configure one of the database-backed security Realms to check login credentials against the PostgreSQL database. Of course, you also have to have defined login/loginfail form pages if you're doing form-based authentication.
I use this on a routine basis, although not usually for file access. A common usage is that I put all my admin resources under an "admin" folder and restrict access to them to users granted the "admin" security role.