Defining the security role in web.xml, for example, "admin", and having my login form with all the necessary fields (for example, j_security_check as an action and fields j_username, j_password), how / where does the actual authentication take place?
In the implementation of the servlet, servletcontainer. For example, in Tomcat, this is done by the AuthenticatorBase class (source code here ).
I plan to use user authentication using the username / passwords (hashes) stored in the database. When a user submits a form, how do I get the Java EE Web Container to call my sevlet / bean method to actually authenticate? I did not notice a place to add a binding to my code in web.xml, which will do the actual authentication.
If you want to use container-managed authentication, but instead want to verify login to the database, you need to set up the so-called kingdom accordingly. It is not clear which servlet container you are using, but, for example, in Tomcat, the documentation is available here: Tomcat 6.0 Realm HOW-TO .
If you really want your own authenticated authentication system to be created instead, you need to abandon the container-managed security and continue. This is not recommended.