Help - Security in tomcat

[Ed <ed...@jsq.co.uk>]

I am trying to implement some decent security on my web-app, yet the
security related tags in the web.xml file are confusing me.  I seem to be
able to set roles, map these to some 'internal' identifiers and specify the
url patterns which are only accessable to users who are in certain roles.
This is all well and good, but how on earth to I actually physically check
that a user is recognised?  I have a database of users and roles, yet I
can't seem to figure out how to get the servlet container to look these up.

I have read through the entire of the Servlet 2.2 specification and I now
sure I want to use form-based authentication.  Great, I specify that the
form action is to be "j_security_check" but what actually gets run when I
supply the 'j_username' and the 'j_password' when the form is posted?  It
must have a list somewhere of valid username/password pairs otherwise it
can't authenticate a soul.

I feel as though I am missing something very obvious indeed!  Could someone
point me in the right direction?

Many many thanks.
Ed.