You also may want to review the documentation for your web application server.
In JEE security, permission to access web resources is based on a security role such as clerk or manager. Each role is a developer-assigned status and is stored in the JEE deployment descriptor (web.xml) that accompanies the application code. Also stored in web.xml is a set of constraints that define which web pages are available to the users who are ultimately assigned to a given role.
If you are using the Form authentication method, you can customize the following JSP pages:
<%@ page language="java" contentType="text/html; charset=ISO-8859-1"
pageEncoding="ISO-8859-1"%>
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01
Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
<title>Insert title here</title>
</head>
<H1>Login Page</H1>
<body>
<form method="POST" action="j_security_check">
User Name : <input type="text" name="j_username"/>
Password : <input type="password" name="j_password"/>
<input type="submit" value="Login"/>
</form>
</body>
</html>
<%@ page language="java" contentType="text/html; charset=ISO-8859-1"
pageEncoding="ISO-8859-1"%>
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
<title>Insert title here</title>
</head>
<H1>Login Error Page</H1>
<body>
Status = Login Error !!!
</body>
</html>
A deployer (usually a system administrator) associates each security role with specific users and groups. The deployer makes that association by customizing the EAR project deployment description (application.xml), usually by working at the Security tab for that file.
The authentication methods used most often are FORM (in which case the user can log out without ending the browser session); or the more secure CLIENT_CERT (for client certification, in which case authentication data is encrypted and, as an option, the server may need to review a security certificate before deciding whether to accept the data).
A runtime knowledge of a user's role lets the application direct processing in accordance with authorization rules.