J2SE access control is based on roles. To restrict access to specific HTML pages, servlets, JSPs, and so forth, you must define the following:
The restricted areas, as listed in the Web module descriptors (web.xml)
The roles which are granted access to each restricted area (in web.xml)
User and group mappings to roles, that determine which specific users are authorized to access which restricted areas (in sun-web.xml).
Users can assume multiple roles. Access is allowed to the corresponding areas on verification that users have been assigned at least one of the roles.
Use the samples located in the webapps/security directory with various access restrictions in Sun Java System Web Server 6.1 as templates. For additional discussion on Servlet role-based security, refer to the Servlet 2.3 specification.