Well, this same question has been asked so many times and the solution has always been the same and has worked for many - this is why I felt a bit guilty asking something that has been asked many times.
did you uncommented the comments that are represented as <!-- -- > from the tags after making changes in tomcat-users.xml ? if you haven't your changes would still be treated as comments and tomcat won't pick the new configuration.
It will take a lot more work than that to get us to dislike you. The J2EE standard security framework is a mystery to many, many people. Which is unfortunate, because they then go out and invent their own, much less secure alternative systems.
First, you don't "log into Tomcat". Tomcat has no central point to log in to. What you are logging into is a security Realm. One or more webapps may share a Realm, some apps may not be Realm-based, some webapps may have their own individual Realms. You have considerable flexibility there. You can define a default Realm for a Tomcat Host element, and/or you can define a specific Realm in the Context definition of a single webapp. In the case of the Tomcat Manager and Tomcat Admin webapps as configured in the default server.xml setup, they share a common Realm.
Realms are actually plug-in authentication and authorization services and they come in many flavors. The original one that read the tomcat-users.xml file was the MemoryRealm, although in Tomcat6, 1 or 2 additional similar Realms were defined. Other popular Realm modules support JDBC data sources, LDAP/Active Directory, Single Signon, and so forth. Basically, anything that you can ask if it contains a userid/password and userid/role pair can have a Realm written for it.
To use a Realm you must do the following:
1. Set up roles in a secured webapp's WEB-INF/web.xml file. This has already been done for the Tomcat admin and manager apps.
2. Configure a Realm in either server.xml or the secured webapp's Context.
3. Ensure that the Realm data source works. Meaning, uncomment the commented-out users and roles (or define your own) in the tomcat-users.xml file if you are using one of the Memory Realms.
If you do all that and then restart Tomcat, then attempting to access a secured URL will result in the user being prompted by either a popup dialog (web.xml configured for BASIC security) or a login page (web.xml configured for FORM-based security; you also have to have defined a login form for that webapp).
Finally, be aware that if you're using an IDE to launch Tomcat, some of them really mangle Tomcat's configuration and may not pull in the Realm configuration properly. If all else fails, try launching Tomcat stand-alone.
Customer surveys are for companies who didn't pay proper attention to begin with.