Is there is some kind of "j2ee compliant" way of doing user authentication and role-assignment - are there any standards one is supposed to use?
The J2EE recommendation for this is to use container-managed security (i.e. the <security-constraint> elements defined in web.xml) for user authentication and access control. Doing so means that the container is taking care of these issues for you, and (perhaps more importantly) that user identities are shared between the web layer and the EJB layer, because the server will be using the same underlying "database" of users and roles.
The only downside to this approach is that there is not yet a standardized API for portably accessing and maintaining a "database" of users and roles ("database" is in quotes because the actual implementation could be anything, including static text files or directory servers).