To tune the authorization process, consider the following steps:
Consider mapping your users to groups in the user registry. Then, associate the groups with your J2EE roles. This association greatly improves performance as the number of users increase.
Judiciously assign security-constraints for servlets. For example, you can use the URL pattern *.jsp to apply the same authentication data constraints to indicate all JSP files. For a given URL, the exact match in the deployment descriptor takes precedence over longest path match. Use the extension match (*.jsp , *.do , *.html) if there is no exact match and longest path match for a given URL in the security constraints.