I'm not following your question here, but if you security model does not fit into the standard role to uri based access model, you'll have to implement a custom model using filters and/or tomcat valves.
My problem is the following:
I have a web app that has its own security model (the login module gets the principals from a DB) with its own set of roles (guest, seller, buyer and admin). This application is at a beta stage and will not be deployed until later. In order to do demos for potential clients, we would like to put it on the web but allow access to the URL only to interested parties. I don't want to change the role model of the web app, but just add one access layer on top of the app (Alias to a URL for example)...
Hope this is clearer. I never used filters or valves and will look into them. They might be what I need. Thank you for your suggestions.
some more info:
My current web app is using form based login. the additional layer needs to be a auth-method of BASIC. I would like to specify one user/password (for example demo/demo) in order to access the site (the web app) from which the user can then login (or not) to the site as different roles.