I have to implement a webapp with Java EE that has different types of users with different rights on the functions, data and files available.
I've never done that before, and I expected that a Java EE-standard would exist to do that, but I didn't find anything useful yet.
What is the best practice to implement a Java EE-webapp with different right permissions, and especially how can I manage/implement selective right-based file-downloads on my webapp ?
The standard way of doing this is by using Realms (http://docs.oracle.com/javaee/6/tutorial/doc/bnbxj.html).
This will provide you both the authentication mechanisms and the authorisation ones, with nice annotations to easily decorate your service classes.
Another top-notch contender is Spring Security (http://projects.spring.io/spring-security/). I would not recommend that if you plan to go plain-Java EE though.
This you can do like the usual login validation where a user is given certain rights. Control this information from a database using for example a flag, access right attached to a user, or a user category.
On attempt to access a Page or a function, the user access as given in the database is validated and the user either denied or granted access.
