Hey guys,

I am trying to write a simple web service and I have been having some trouble with role based access control and authentication. I think I understand the basics about how this stuff is supposed to work, but when it comes to implementing the security policy, I am really struggling. I am trying to set up a service wherein resources under the /secure/* url pattern would only be accessible to users that are in role "user". Rather than utilize a directory service for authentication, I wrote my own module called DoLogin.java that checks the username and salted & hashed password against a database. Here are the basics, maybe someone can tell me where I am going wrong:

WebContent directory structure:
The problem is in this module. I need to somehow set the user's authenticated status and define their role as a user. I've left a comment where I think the code I am missing needs to go:

From DoLogin.java:
			query = "SELECT * FROM users where"
					+ " userName=? and password=?";
			ps = conn.prepareStatement(query);
			ps.setString(1, sUserID);
			ps.setString(2, saltedPassword);

			rs = ps.executeQuery();

			if (rs.next()) {
				//Somehow need to indicate to the web service that the user has successfully authenticated here.
			} else {
From web.xml:





From secureLogin.jsp:
	<form name="frmLogin" onSubmit="return validate();"
		action="DoLogin" method="post">
		User Name <input type="text" name="userName" /><br /> Password <input
			type="password" name="pwd" /><br /> <input type="submit"
			name="sSubmit" value="Submit" />
Any advice would be greatly appriciated.