1) use database users for authenticate
like login
code:
Class.forName(driverClass);
cnn = DriverManager.getConnection(dbUrl, username, password);

if can get cnn , then pass.

2) to limit returned records, (by role ?)

must specify a limit contition before list recordes.

3) use acegi 's authentication and authorization .
about this I need more info...

such as which table must be created and which class must be implemented in this case?