How do I assign the user's role without using a login form?
Chapter 11 of the Servlet 2.2 specification is entirely related to Security. Basically the concept is that you can use the standard http authentication schemes (i.e.: basic, digest). This means that you can authenticate a user among a database (or, for example, another source) without developing html login forms.
For Tomcat 3.2.x there is an interesting example of a JDBC Realm.
[In Servlet 2.3 spec, the Security chapter is now 12.
Also - There's no way to programmatically set the user (e.g. request.setRemoteUser), but if you need to, you can just use a session variable to let yourself know that this user is "ok."