Hey guys,

I am trying to write a simple web service and I have been having some trouble with role based access control and authentication. I think I understand the basics about how this stuff is supposed to work, but when it comes to implementing the security policy, I am really struggling. I am trying to set up a service wherein resources under the /secure/* url pattern would only be accessible to users that are in role "user". Rather than utilize a directory service for authentication, I wrote my own module called DoLogin.java that checks the username and salted & hashed password against a database. Here are the basics, maybe someone can tell me where I am going wrong:

WebContent directory structure:
Code:
/WebContent/index.html
/WebContent/secureLogin.jsp
/WebContent/WEB-INF/
/WebContent/WEB-INF/lib
/WebContent/WEB-INF/web.xml
/WebContent/secure/
/WebContent/secure/success.html
The problem is in this module. I need to somehow set the user's authenticated status and define their role as a user. I've left a comment where I think the code I am missing needs to go:

From DoLogin.java:
Code:
			query = "SELECT * FROM users where"
					+ " userName=? and password=?";
			ps = conn.prepareStatement(query);
			ps.setString(1, sUserID);
			ps.setString(2, saltedPassword);

			rs = ps.executeQuery();

			if (rs.next()) {
				//Somehow need to indicate to the web service that the user has successfully authenticated here.
				
				response.sendRedirect("secure/success.html");
			} else {
				response.sendRedirect("invalidLogin.html");
			}
From web.xml:
Code:
	<display-name>AuthorizationTest</display-name>
	<welcome-file-list>
		<welcome-file>index.html</welcome-file>
	</welcome-file-list>

	<servlet>
		<servlet-name>DoLogin</servlet-name>
		<servlet-class>myPackage.DoLogin</servlet-class>
		<security-role-ref>
			<role-name>user</role-name>
			<role-link>user</role-link>
		</security-role-ref>
	</servlet>
	<servlet-mapping>
		<servlet-name>DoLogin</servlet-name>
		<url-pattern>/DoLogin</url-pattern>
	</servlet-mapping>

	<servlet>
		<servlet-name>Register</servlet-name>
		<servlet-class>myPackage.Register</servlet-class>
	</servlet>
	<servlet-mapping>
		<servlet-name>Register</servlet-name>
		<url-pattern>/Register</url-pattern>
	</servlet-mapping>

	<security-constraint>
		<web-resource-collection>
			<web-resource-name>secure</web-resource-name>
			<url-pattern>/secure/*</url-pattern>
			<http-method>PUT</http-method>
			<http-method>DELETE</http-method>
			<http-method>GET</http-method>
			<http-method>POST</http-method>
		</web-resource-collection>
		<auth-constraint>
			<role-name>user</role-name>
		</auth-constraint>
	</security-constraint>

	<security-role>
		<role-name>user</role-name>
	</security-role>

	<login-config>
		<auth-method>FORM</auth-method>
		<realm-name>secure</realm-name>
		<form-login-config>
			<form-login-page>/secureLogin.jsp</form-login-page>
			<form-error-page>/invalidLogin.html</form-error-page>
		</form-login-config>
	</login-config>
From secureLogin.jsp:
Code:
<body>
	<div><%=error%></div>
	<form name="frmLogin" onSubmit="return validate();"
		action="DoLogin" method="post">
		User Name <input type="text" name="userName" /><br /> Password <input
			type="password" name="pwd" /><br /> <input type="submit"
			name="sSubmit" value="Submit" />
	</form>
</body>
Any advice would be greatly appriciated.