web app security authorization question

I've tested and used the tomcat-user.xml file in conjunction with the <security-constraint> tags in DD to limit access to certain pages. Using this method, I've defined username, passwords and roles in the tomcat-user.xml file.
<tomcat-users> <role rolename="Admin"/> <user username="Al" password="mypassword" roles="Admin"/> </tomcat-users>

I was wondering how this is handled in bigger applications where it wouldn't be efficient to declare all users and their passwords in a tomcat-user.xml file.

I'm guessing information such as username, passwords, and roles can be kept in a database and not in a xml file.
My question is, how do you tell a container that a user has a certain role if you don't declare it in tomcat-user.xml?

Thanks

I use declarative security for small apps.
For larger things, I usually end up writing my own as the login involves fetching and setting up a lot of things.

You can, with Tomcat create JDBC realms to allow you to use declarative security with a database.
http://tomcat.apache.org/tomcat-6.0-doc/realm-howto.html
[ May 14, 2008: Message edited by: Ben Souther ]

Thanks! much appreciated!