pg_hba, access control for a webserver, superuser, and joe user

I am running a system with three types of users:

A)  Joe User, who may have a pg database
        I don't care if Joe User, once logged in to the system
        has to type a password or not to get access to his db

          local sameuser md5
               or
          local all ident sameuser
               or ?

B)  Superuser (postgres) who will need access to all dbs, w/o
        typing any password other than that of the postgres'
        pg user.

        I think I can do this through the use of a line in pg_hba.conf
          local all md5 admins
        where admins contains the name of the superuser.

C)  Web Server, which will run under one username, but will at
        times be required to access the databases of many users.
        This webserver's db mechanism, relies on passwords being
        stored, in the clear, in flat files.

        I would like to avoid that.  I believe I can avoid that
        in a reasonably secure mode if I use the ident mechanism
        and manage an ident map in pg_ident.conf

But permute as I might, I have not been able to piece all of this
together.  I can accomplish two out of three of these, but the whole
solution eludes me.

Does the order of statements in pg_hba.conf matter?
Is there a priority and a fallback of sorts?  Try this first mechanism
and if that fails, try the next mechanism?

What do most people do in this circumstance?  Or, what should my
pg_hba.conf file look like?

Thanks,

Jerry Asher
jerry.nospam@theashergroup.com (remove the .nospam to send mail)