I am building an android application which communicates with the web server on apache tomcat. Web server build in JAVA EE. Currently for authentication and authorization I am using username , password and for managing the session I am using tokens. So when the user logs in I will check mysql database and authenticate the user. When the user tries to do some action , based on the token the sent , I will identify the user and authorize to do that action based on the privileges given to that user. It looks bit cumbersome . I was wondering is there any standard framework which make this task easy.

1. Is there any tomcat container level authentication and authorization possible , so the request won't reach the web application if its not authorized to do the action ?

2. Or else Is there any framework which provides standard authentication and authorization in web application ?

Apache Shiro is what you are looking for:

Apache Shiro is a powerful and easy-to-use Java security framework that performs authentication, authorization, cryptography, and session management. With Shiro’s easy-to-understand API, you can quickly and easily secure any application – from the smallest mobile applications to the largest web and enterprise applications.

I used Spring security (version 3) in couples of projects, the shortcoming was the size of jars you need to deploy (it is Spring!), it's was cumbersome.

Also I have integrated Apache Shiro with magnolia-cms, as far as I can say Apache Shiro has the strength of Spring Security with the ease of use.