I'm working on a user management system for my J2ee application.
To bypass the default Policy class, which reads permissions from flat file, you have to develop your own set of modules, including LoginModule, Principal, Permission, PermissionCollection, and Policy classes. getPermissions method in your Policy class will return a collection of permissions avalable for your Subject, authenticated in a corresponding LoginModule. With the custom Policy class you can control permissions at user or role level.
Both LoginModule and Policy classes can get user/role data from the database (and combine it with data from other authentication servers, like RADIUS). In multi-tiered enterprise application (browser/servlets/EJB/DB) it is a little bit tricky (but possible) to handle authentication callbacks.