Welcome to the JavaRanch, José!
Tomcat supports J2EE-standard container-based Authentication and Authorization. You can read up on that in most good books on
servlets and JSPs.
The
J2ee and JEE standards don't specify what mechanisms are actually used to handle login. They leave that up to the server, since login is handled by the server. In the case of Tomcat, the login processor is supported by plugins called Realms.
About the simplest way to use this process is to configure a MemoryRealm, as documented in the Tomcat online documentation. The default for the MemoryRealm is to check userids and passwords against entries in an XML file named (by default) "conf/tomcat-users.xml". This file also defines the names of the security roles assigned to users and assigns the roles to the users.
tomcat-users.xml is good for
testing, but on production systems, it's better to use a more advanced Realm such as a DataBaseRealm or JNDIRealm. Fortunately, this can be done easily by just changing the webapp deployment descriptor. No application changes are required.
The secret of how to be miserable is to constantly expect things are going to happen the way that they are "supposed" to happen.
You can have faith, which carries the understanding that you may be disappointed. Then there's being a willfully-blind idiot, which virtually guarantees it.