1) use database users for authenticate
cnn = DriverManager.getConnection(dbUrl, username, password);
if can get cnn , then pass.
2) to limit returned records, (by role ?)
must specify a limit contition before list recordes.
3) use acegi 's authentication and authorization .
about this I need more info...
such as which table must be created and which class must be implemented in this case?