Hello, I am very much confused regarding login process that happen in Java web application. I read many tutorials regarding jdbcRealm and JAAS. But, one thing that i don't understand is that why should i use them ? Can't i simply check directly against my database of users? and once they successfully login to the site, i store some variable in session as a flag. And probably check that session variable on all restricted pages (I mean keep a filter for restricted resources url pattern).If the flag doesn't exist simply redirect the user to login page. Is this approach correct?Does this approch sound correct? If yes, then why did all this JAAS and jdbcRealm came into existence?

Secondly, I am trying to completely implement SAS(Software as service) in my web application, meaning everything is done through web services.If i use webservices, is it possible to use jdbcRealm? If not, then is it possible to use JAAS? If yes, then please show me some example which uses mySql as a database and then authenticates and authorizes. I even heard about Spring Security. But, i am confused about that too in the sense that how do i use webservice with Spring Security.

Please help me. I am really very confused. I read sun's tutorials but they only keep talking about theories. For programmers to understand a simple concept, they show a 100 page theory first before they finally come to one example.