pg_hba, access control for a webserver, superuser, and joe user

I am running a system with three types of users:

A) Joe User, who may have a pg database
I don't care if Joe User, once logged in to the system
has to type a password or not to get access to his db

local sameuser md5
or
local all ident sameuser
or ?

B) Superuser (postgres) who will need access to all dbs, w/o
typing any password other than that of the postgres'
pg user.

I think I can do this through the use of a line in pg_hba.conf
local all md5 admins
where admins contains the name of the superuser.

C) Web Server, which will run under one username, but will at
times be required to access the databases of many users.
This webserver's db mechanism, relies on passwords being
stored, in the clear, in flat files.

I would like to avoid that. I believe I can avoid that
in a reasonably secure mode if I use the ident mechanism
and manage an ident map in pg_ident.conf

But permute as I might, I have not been able to piece all of this
together. I can accomplish two out of three of these, but the whole
solution eludes me.

Does the order of statements in pg_hba.conf matter?
Is there a priority and a fallback of sorts? Try this first mechanism
and if that fails, try the next mechanism?

What do most people do in this circumstance? Or, what should my
pg_hba.conf file look like?

Thanks,

Jerry Asher
jerry(dot)nospam(at)theashergroup(dot)com (remove the .nospam to send mail)