Realm

Authentication can be controlled by a web application or by the container (such as TomcatSW) that the web application runs in.

Tomcat's container-managed security is based on realms. A realm contains the names of users, their passwords, and roles.

UserDatabase realm

The Tomcat (version 5.5.20) comes configured with a UserDatabase realm as an active realm. The UserDatabase realm uses the tomcat-users.xml file in Tomcat's conf directory as the location for the name, password, and role data. Data from this file gets loaded when Tomcat starts up and not at other times. Typically you need to modify this file manually to update it, so it's probably most useful during development but not in an actual production system.

JDBCW realm

Benefits of a JDBC realm over a UserDatabase realm include being able to dynamically update the JDBC realm data at runtime rather than only at startup.

By default, in Tomcat's server.xml file, the UserDatabase realm is uncommented while a sample JDBC realm for MySQLW is commented out.