There should be model role definitions in the originally-supplied tomcat-users.xml file that will suffice. Although as shipped they may be commented out.
When a server returns a 401 response, the client must log in. That means that a request containing the encoded userid and password must be sent to Tomcat to be validated. Once your client app has logged in, then you can send Tomcat admin URLs.
And, no, I don't have any code like that lying around. I'd have to do the same thing I recommend that you do: Google. Useful magic words include "RFC" and "Basic Authentication", since the definitive documentation for handling a 401 (Basic Authentication) request is one of the Internet RFC documents, which will typically include simple examples of how things are done. If your client app hasn't disabled cookies, a successful login request will return a cookie which will be used to maintain the session context for future requests. And, if you're using the HttpURLConnection, cookie handling is completely automatic, so you don't need to code anything for it.
Author and all-around good cowpoke
Joined: Mar 22, 2000
Note that you have to restart Tomcat if you change the users xml file.