I've tested and used the tomcat-user.xml file in conjunction with the <security-constraint> tags in DD to limit access to certain pages. Using this method, I've defined username, passwords and roles in the tomcat-user.xml file.
I was wondering how this is handled in bigger applications where it wouldn't be efficient to declare all users and their passwords in a tomcat-user.xml file.
I'm guessing information such as username, passwords, and roles can be kept in a database and not in a xml file. My question is, how do you tell a container that a user has a certain role if you don't declare it in tomcat-user.xml?