Tomcat supports J2EE-standard container-based Authentication and Authorization. You can read up on that in most good books on servlets and JSPs.
The J2ee and JEE standards don't specify what mechanisms are actually used to handle login. They leave that up to the server, since login is handled by the server. In the case of Tomcat, the login processor is supported by plugins called Realms.
About the simplest way to use this process is to configure a MemoryRealm, as documented in the Tomcat online documentation. The default for the MemoryRealm is to check userids and passwords against entries in an XML file named (by default) "conf/tomcat-users.xml". This file also defines the names of the security roles assigned to users and assigns the roles to the users.
tomcat-users.xml is good for testing, but on production systems, it's better to use a more advanced Realm such as a DataBaseRealm or JNDIRealm. Fortunately, this can be done easily by just changing the webapp deployment descriptor. No application changes are required.
Customer surveys are for companies who didn't pay proper attention to begin with.