There are several realm implementation in tomcat - memory, database, JAAS and more. The easiest one to configure (though not the most secure) the memory one, which contains a single XML file, usually under conf/tomcat-users.xml:

<tomcat-users>
  <user name="tomcat" password="tomcat" roles="tomcat" />
  <user name="role1"  password="tomcat" roles="role1"  />
  <user name="both"   password="tomcat" roles="tomcat,role1" />
</tomcat-users>

The realm configuration is under the context, host or engine configurations, like this:

<Realm className="org.apache.catalina.realm.MemoryRealm"
       pathname="conf/tomcat-users.xml" />

Then, in the web.xml you put the following definition:

    <security-constraint>
            <web-resource-collection>
                    <web-resource-name>MRC Customer Care</web-resource-name>
                    <url-pattern>/protected/*</url-pattern>
            </web-resource-collection>
            <auth-constraint>
                    <role-name>role1</role-name>
            </auth-constraint>
    </security-constraint>

    <!-- Define the Login Configuration for this Application -->
    <login-config>
            <auth-method>DIGEST</auth-method>
            <realm-name>YOUR REALM NAME</realm-name>
    </login-config>

    <security-role>
            <description>
              The role that is required to access the application. 
              Should be on from the realm (the tomcat-users.xml file).
            </description>
            <role-name>role1</role-name>                  
    </security-role>

The web.xml part is taken (with slight change) from one of our web apps.

Besides the auth-constraint you are adding to the security-constraint:

   <auth-constraint>
       <role-name>*</role-name>
   </auth-constraint>

you need specify the security role in the web-app:

    <security-role>
        <role-name>*</role-name>
    </security-role>

If we are using Tomcat 8.x , as the provided server.xml will come in a nested Realm element, please add 'allRolesMode="authOnly"' in the "outmost" Realm element and change aforementioned web.xml for testing. e.g.

  <Realm allRolesMode="authOnly" className="org.apache.catalina.realm.LockOutRealm">
    <!-- This Realm uses the UserDatabase configured in the global JNDI
         resources under the key "UserDatabase".  Any edits
         that are performed against this UserDatabase are immediately
         available for use by the Realm.  -->
    <Realm className="org.apache.catalina.realm.UserDatabaseRealm"
           resourceName="UserDatabase" />
  </Realm>

Please read org.apache.catalina.realm.RealmBase.java for details.

Also, following settings in logging.properties are useful.

org.apache.catalina.realm.level=ALL
org.apache.catalina.realm.useParentHandlers=true
org.apache.catalina.authenticator.level=ALL
org.apache.catalina.authenticator.useParentHandlers=true