This week's book giveaway is in the OO, Patterns, UML and Refactoring forum. We're giving away four copies of Refactoring for Software Design Smells: Managing Technical Debt and have Girish Suryanarayana, Ganesh Samarthyam & Tushar Sharma on-line! See this thread for details.
Don't the server get them from the Database, if it used?
When designing a web-app you will have to think of the different actors involved in your use-cases. These groups of users you will have to make available to the container by using the <security-role> element.
How you map explicit users to a role-name is typically done by storing that information (user and roles) in a database. This is however not necessary, in tomcat, you can define them in a simple property file (tomcat-users.xml)