Hi

I'm new to derby an have a question about extending user authentication.

I'm developing a multiuser rich client application that connects 
directly to a derby server. The clients should authenticate themselves 
via user name and password. Business logic requires, that each user is 
given a user role. The user role tells the client, what features the 
user may use and what features aren't permitted. My current idea is, to 
create a user table with user name, password-hash and user-role. This 
should work fine for users, that only use the client application.

But I think there is a problem with this. The whole authentication-logic 
only exists in the clients. The server still isn't protected. Anyone 
with some knowledge about SQL can connect the database server and do 
anything, ignoring the user permissions completely. From the developers 
guide I've learned, that derby offers an authentication mechanism to 
authenticate users to the database system. This should prevent this 
scenario.

I don't know how to best combine derby's user authentication with my 
user roles table. Is there a way to extend the user authentication in a 
way, not only user name and password are stored, but also additional 
data? Or do you see another (better) way to satisfy both requirements? 
Do I realy have to manage two sets of user data?

Thanks for your advise
Damian