An update here.... And a theory if anyone is reading....
Instead of using my own servlet to process the user login (e.g. when the login.jsp is displayed when the user tries to access a protected page), I used the j_security_check approach. After a bit (see other post) it worked fine. If the user does not have the correct role, they get an error.
So, my theory is that there are at least two situations:
1) If you simply want to protect pages from being accessed by users without the proper authentication (and can live with username/password), then you can use the "j_security_check" approach, describe the roles/security in the various .xml files and everything will be fine.
2) If you want to do something a little more custom - e.g. in my case if someone tries to reach a proteced JSP, I want them to login and then "start at the beginning" of my system. For this, I use a custom page and a custom JAAS CallbackHandler. However, in this case, I think that if I want to check roles, then I need to do it programmatically, I cannot do it declaritively in the container.
Does anyone know if this theory is correct??
Thank you so much,