A few months ago, I wanted to create my JDBC Kingdom with glass fish, and I also had a lot of doubts. I will try to explain to you more or less how I did it using JPA.
Many of the examples suggest making tables containing user / group information manually in SQL.
I disagree if you use JPA for other persistence tasks, why are you making a security exception. Therefore, JPA is a good idea. Copying / pasting a piece of SQL into the DB console is easy, but better if you have entities that will automatically create these tables for you when you deploy your application.
The textbook you are following is fine, I think there is no such opinion as best practice.
I will give you some resources that I think will help you create a JDBC scope. Maybe you are interested in something simpler just to warm up, in this case check out this post:
http://javing.blogspot.in/2012/05/here-in-this-video-you-can-see-how-i.html
He talks about ROLE-based security in a glass planet, I think this can give you some advice.
If you want to know how to create a JDBC scope with JPA, follow this question that I made earlier, at the end you will find a solution:
Glassfish 3 Security - Form Based Authentication Using JDBC Realm
If you embed some kind of code, we can help you scream out if you're stuck.