Tomcat manages application security through the concept of realm. A realm is a coherent package of name password pairs that identify valid users for a web application. Tomcat’s default realm is MemoryRealm. This realm reads the famous conf/tomcat-users.xml file and uses it check for name password pair validity. Tomcat also provides realms to check against pairs stored in a database, either through a direct connection, or through a configured datasource.