The way available since J2EE 1.3 (and perhaps earlier, but then I’m not an archeologist) is through a callback mechanism: the platform only asks for a user’s credentials when he tries to access a protected resource. If credentials are accepted, then the user is authenticated. Then his access rights are matched to the access rights required to acces the resource. If they match, he’s allowed to; otherwise, he receives a 403 error.