J2SE application roles are abstract ones and apply to specific applications. To run your application in a real-world environment with restricted access to authorized users only, you must map the user names to the roles in the sun-web.xml descriptor. Employ either or both of these ways:
Group mapping - Map a user name or multiple ones indirectly through one or multiple groups in sun-web.xml. (For example, group names can be engineers, managers, or staff.) Any authenticated user who belongs to the groups listed is then assigned the application role. Please note that the active realm implementation (or the database that is references) is responsible for determining which users belong to a given group.
When a principal (user) requests a particular Web resource, for example, a servlet or a JSP, the Web container checks the security constraints or permissions associated with the resource in the deployment descriptor files to determine whether the principal is authorized to access it.
Role mapping entries map a role to a user or a group in the module descriptor. Example:
<sun-web-app> <security-role-mapping> <role-name>manager</role-name> <principal-name>jsmith</principal-name> <group-name>divmanagers</group-name> </sun-web-app>
For more information about deployment descriptor files, see the Sun Java System Web Server 6.1 SP12 Programmer’s Guide to Web Applications.