Q: "What is the purpose of the domain name in the login-config element?"
From the Java EE 6 tutorial :
A realm is a security policy area specific to a web server or application server. A scope contains a collection of users who may or may not be assigned to a group.
The behavior defined this way in the current Servlet 3.0 specification :
HTTP Basic Authentication based on username and password is an authentication mechanism defined in the HTTP / 1.0 specification. The web server requests a web client to authenticate the user. As part of the request, the web server passes the area (string) in which the user must be authenticated. The web client receives the username and password from the user and transfers them to the web server. The web server then authenticates the user in the specified area.
Q: "Where can I set up a username, password and map users to roles?"
This is a specific container. That is, each server provider can freely determine how users / groups are defined and how this information is configured. There are usually several ways to do this.
Users and groups are often defined in a directory. The server is then configured to use this directory, and the administrator will display the application roles during deployment.
Tomcat Developer Test Server may use a flat file; a WebSphere production server can connect to the Exchange directory through LDAP.
For more information, see the documentation on the server.
You can do worse than follow Oracle Java EE 6 with Netbeans and Glassfish, but keep in mind the steps that are specific to this vendor product.