If your requirements are simple you may not need to do much of anything. Tomcat has other authentication options besides the XML file, e.g. accessing a DB, LDAP or JAAS. Check out the Tomcat realm documentation for further details.
There is no best practice, really. It depends a whole lot on the requirements of your application. Some applications need more functionality than realms provide; in that case you need to roll your own.
Struts in particular needs to make do with what the Servlet API provides. That rules out using realms (which are a Tomcat-only thing).
Best practice is to make an Interlock. A grid, no matter how minor such that the system will continue to function in a reliable manner with 20% of the system broken, often this lattice brings Trust, Logging, Training, Observation and Rollback. Risk/Reward must be given some place in the analysis matrix, logon authentication is complexified by the fact that people will stickum the password on the front of the monitor.
One would not do that with keys to a storage shed.
"The differential equations that describe dynamic interactions of power generators are similar to that of the gravitational interplay among celestial bodies, which is chaotic in nature."
You showed up just in time for the waffles! And this tiny ad:
Building a Better World in your Backyard by Paul Wheaton and Shawn Klassen-Koop