best intro to ejb role-based security, with answers to my burning questions

Q: how does the username entered by visitor map to the role names?

q: can i use my own input control names in form-based auth?

q: where’s the db holding passwords?

answered on p 187 of Oreilly [[jsp]]