Realm-based authentification for Tomcat Web Apps

I needed to find out how to secure a Tomcat Web App with a password, and found the answer here. Basically, you need to edit the Web app's web.xml and add this little piece of xml to it:

<!-- Define a security constraint on this application -->
<security-constraint>
  <web-resource-collection>
    <web-resource-name>Entire Application</web-resource-name>
    <url-pattern>/*</url-pattern>
  </web-resource-collection>
  <auth-constraint>
    <!-- This role is not in the default user directory -->
    <role-name>manager</role-name>
  </auth-constraint>
</security-constraint> 			
<!-- Define the login configuration for this application -->
<login-config>
  <auth-method>BASIC</auth-method>
  <realm-name>Tomcat Manager Application</realm-name>
</login-config>

This is enough if you want to protect the Web app with the same password as the manager application (changing the realm name would probably make sense). If you want to define a new role for this Web app, you can do it as follows (again taking the example from the manager, so change the description and role name):

<!-- Security roles referenced by this web application -->
<security-role>
  <description>
    The role that is required to log in to the Manager Application
  </description>
  <role-name>manager</role-name>
</security-role>

All that needs to be done now is to reload your Web app.