You're going to need to put a in your deployment descriptor. Something along the lines of this:
<security constraint>
<web-resource-collection>
<web-resource-name>Images</web-resource-name>
<url-pattern>/images/*</url-pattern>
<http-method>POST</http-method>
<web-resource-collection>
<auth-constraint>
<role-name>Admin</role-name>
<role-name>Member</role-name>
</auth-constraint>
</security-constraint>
<security-role><role-name>Admin</role-name></security-role>
<security-role><role-name>Member</role-name></security-role>
<security-role><role-name>Guest</role-name></security-role>
You will then need to define the user roles in a tomcat-users.xml file:
<tomcat-users>
<role rolename=”Admin”/>
<role rolename=”Member”/>
<role rolename=”Guest”/>
<user username=”Conor” password=”admin” roles=”Admin, Member, Guest” />
<user username=”SomebodyElse” password=”coder” roles=”Member, Guest” />
<user username=”Andrew” password=”newbie” roles=”Guest” />
</tomcat-users>