After looking through various
Tomcat and
servlet docs, it looks to me like this sort of security restriction is not easy to implement in your basic tomcat. I think you are going to need something beyond the basic role defining method that comes with Tomcat.
Bill