You should consult the
Tomcat documentation for how to do this. Basically, you'll need to create a protected resource collection in your deployment descriptors, create roles in your deployment descriptors, create some database or other data store whose data will be consulted when a user logs into the protected area of your web application, and that's it.
What roles belong to an individual when they authenticate themselves to the application is specified in the database, or however you set it up in Tomcat. Check out the docs. It's pretty simple.
Nathaniel Stodard<br />SCJP, SCJD, SCWCD, SCBCD, SCDJWS, ICAD, ICSD, ICED