HTTP Authentication

HTTP protocol has basic authentication were server maintains database of usernames and passwords.
Server asks for username/pass when client tries to access secure pages.
Client sends user/pass encoded using Base64 (basically, plain text).
In digest authentication they are encrypted using MD5 (secure encryption), but server must still maintain list of user/pass (honey-pot).

You can configure these into servlet server, by giving each user one or more roles in the tomcat-users.xml file:

<tomcat-users>
  <user name="Dilbert"      password="dnrc"         roles="engineer" />
  <user name="Wally"        password="iluvalice"    roles="engineer,slacker" />
  <user name="MrPointyHair" password="MrPointyHair" roles="manager,slacker" />
</tomcat-users>

then modify web.xml to protect the needed directories

<?xml version="1.0" encoding="ISO-8859-1"?>
<!DOCTYPE web-app
    PUBLIC "-//Sun Microsystems, Inc.//DTD Web Application 2.2//EN"
    "http://java.sun.com/j2ee/dtds/web-app_2_2.dtd">
<web-app>
    <servlet>
        <servlet-name>
            secret 
        </servlet-name>
        <servlet-class>
            SalaryServer
        </servlet-class>
    </servlet>

    <security-constraint>
        <web-resource-collection>
            <web-resource-name>
                SecretProtection
            </web-resource-name>
            <url-pattern>
                /servlet/SalaryServer <!--protect access to these urls-->
            </url-pattern>
            <url-pattern>
                /servlet/secret
            </url-pattern>
            <http-method>
                GET  <!--using these methods-->
            </http-method>
            <http-method>
                POST
            </http-method>
        </web-resource-collection>
        <auth-constraint>
            <role-name>
                manager <!--only manager can access-->
            </role-name>
        </auth-constraint>
    </security-constraint>

    <login-config>
        <auth-method>
            BASIC       <!-- BASIC, DIGEST, FORM, CLIENT-CERT -->
        </auth-method>                                               
        <realm-name>                                                 
            Default     <!-- optional, only useful for BASIC -->     
        </realm-name>                                                
    </login-config>                                                  

    <security-role>
        <role-name>
            manager
        </role-name>
    </security-role>
</web-app>

Once the user is logged in you can get his principal—entity being authenticated—with:

public java.security.Principal HttpServletRequest.getUserPrincipal();
principal.getName();

or just check for the correct role with

public boolean HttpServletRequest.isUserRole(String role);