You could use this tag into web.xml for example :
<web-app>
<security-constraint>
<web-resource-collection>
<web-resource-name>
Protected Site
</web-resource-name>
<!-- This would protect the entire site -->
<url-pattern> /* </url-pattern>
<!-- If you list http methods,
only those methods are protected -->
<http-method> DELETE </http-method>
<http-method> GET </http-method>
<http-method> POST </http-method>
<http-method> PUT </http-method>
</web-resource-collection>
<auth-constraint>
<!-- role-name indicates roles that are allowed
to access the web resource specified above -->
<role-name>tomcat</role-name>
<role-name>role1</role-name>
</auth-constraint>
</security-constraint>
<!-- BASIC authentication -->
<login-config>
<auth-method> BASIC </auth-method>
<realm-name> Example Basic Authentication </realm-name>
</login-config>
</web-app>
and then you should define role in tomcat in this address :
TOMCAT_HOME/conf/tomcat-users.xml
tags are :
<tomcat-users>
<user name="tomcat" password="tomcat" roles="tomcat" />
<user name="role1" password="tomcat" roles="role1" />
<user name="both" password="tomcat" roles="tomcat,role1" />
</tomcat-users>