Scott,
Thanks for your reply..

After reading your reply and reading some books, I realized that I was trying to mix two things Container managed security and Application Managed security and was getting confused.

I have decided to go with Container managed security using j_security_check and let the container pick up the roles etc from web.xml.

I also thought about going with Applicaiton Managed security which involved writing my own Servlet Filter. While doing that I looked at SecurityFilter (open source), but later decided to go with the container managed security the limited requirements I have..