Simple authentication example with level without hibernate and spring

The simplest way is with Filter. With the filter, which is already java, you can intercept the request and validate whether a particular user is active or not.

With the filter you can determine which folder / file the user can have logged in or not.

Here's an example: link

So you could set up a filter in web.xml:

<filter>
    <filter-name>AdminPagesFilter</filter-name>
    <filter-class>com.filter.AdminPagesFilter</filter-class>
</filter>
<filter-mapping>
    <filter-name>AdminPagesFilter</filter-name>
    <url-pattern>/pages/protected/admin/*</url-pattern>
</filter-mapping>

And a filter could be declared as:

public class AdminPagesFilter extends AbstractFilter implements Filter {

    @Override
    public void destroy() {

    }

    @Override
    public void doFilter(ServletRequest request, ServletResponse response,     FilterChain chain) throws IOException, ServletException {
        HttpServletRequest req = (HttpServletRequest) request;
        User user = (User) req.getSession(true).getAttribute("user");

        if (!user.isAdmin()) {
            accessDenied(request, response, req);
            return;
        }

        chain.doFilter(request, response);
    }

    @Override
    public void init(FilterConfig arg0) throws ServletException {

    }
}

For convenience, I recommend that you use spring-security. It controls access to the pages you set and still has a Roles engine, which allows you to have different levels of access.

Here is an example of a basic login:

link