Don't the server get them from the Database, if it used?
When designing a web-app you will have to think of the different actors involved in your use-cases. These groups of users you will have to make available to the container by using the <security-role> element.
How you map explicit users to a role-name is typically done by storing that information (user and roles) in a database. This is however not necessary, in tomcat, you can define them in a simple property file (tomcat-users.xml)
subject: Confirmation required about <security-role> element.