Tomcat implements the
J2EE Container-Managed security standard using plug-in modules called "Realms". The default configuration in server.xml is to use a MemoryRealm, which uses the tomcat-users.xml file as its "database". Any realm will do, including LDAP/ActiveDirectory,
JDBC and many more, but that one requires no external resources, so it's a simple way to get started. And actually, although it's the "default" Realm in server.xml, the real default is no Realm at all, since as shipped, it's commented out. The original MemoryRealm would not recognize changes to tomcat-users.xml until you restarted Tomcat. Some of the newer children of that Realm can, but in no case will changes to a user or role definition be recognized until the user has logged out and back in again (to do otherwise would be a potential security problem).
If you attempt to access a URL that's Realm-protected, Tomcat will immediately intercept and present a login screen or dialog (depending on which option was set in the webapp's web.xml file). Failure to login will prevent you from going further. If you login, but your userid doesn't include a role associated with that URL, you get a "503 Forbidden" error.
A 404 error indicates that Tomcat could not process an allowed URL. That can occur if you attempt to communicate with a non-existent webapp (the context name in the URL doesn't match any deployed context) or if the webapp exists but doesn't have a method defined for returning a suitable response, either directly (via a
servlet or
jsp) or by percolating up to the Tomcat default webapp, which is what serves up things like static image/css/javascript files, lists directories, and so forth.
If you aren't talking to a port that Tomcat's listening on, then unless some OTHER server is listening on that port, the network connection to that port will fail and the client will (hopefully!) display an error message. If you attempt to talk to a port using the wrong protocol (for example, sending plain text to a HTTPS port), usually that, too will give some sort of error message which is typically somewhat cryptic.