I think these are both the same question. The user would not
authenticate with the role-name, but with a user name like
JohnSmith or whatever. If I change "John Smith" in your
question to "Joe", this example might help.
In a demo of the
Tomcat 4 server I used this in a particular
web application's web.xml:
<security-constraint>
<web-resource-collection>
<web-resource-name>Entire Application</web-resource-name>
<url-pattern>/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<!-- NOTE: This role is not present in the default users file -->
<role-name>manager</role-name>
</auth-constraint>
</security-constraint>
Then, in the tomcat-users.xml, I defined the usernames for
the security roles:
<tomcat-users>
<user name="tomcat" password="tomcat" roles="tomcat" />
<user name="role1" password="tomcat" roles="role1" />
<user name="both" password="tomcat" roles="tomcat,role1" />
<user name="joe" password="secret" roles="tomcat,role1,manager" />
</tomcat-users>
I used Emacs

but other app servers may have other tools for
doing this. The user information can come from a database, from
a directory service, etc.
Thanks,
Joe