since my goal is to be able to run the webapp to other application servers aside from resin, container managed authentication and authorization doesnt fit the bill. now am looking at acegi so that it would inflict less pain when switching applications servers. i found a nice intro to acegi in this article -> Javalobby - Java J2EE Programming Forums - Securing Your Java Applications - Acegi Security Style...