If you are using your
servlet container's built-in security capabilities, then you frequently have the choice to use either a file-based (and probably XML file) solution, or use a database solution.
See here for links on
Tomcat's realm configuration
https://coderanch.com/t/81728/Tomcat/do-make-tomcat-users-more But even if you are using a built-in security model, or building your own, as William showed you, the 'best' option is really a matter of *lots* of different things.
XML seems easy. It doesn't require anything other than a file placed in the location your login servlet expects it to be, and it's easy to update.
But it's a *security* thing. Anyone with administrative access to your servlet container will be able to open the file in a text viewer and observe *everyone's* plain-text usernames and passwords.
Databases are more secure, but perhaps more of a pain to set up.