From tomcat docs:
You can nest one or more Context elements inside this Host element, each
representing a different web application associated with this virtual
host. In addition, you can nest a single DefaultContext element that
defines default values for *subsequently* deployed web applicatio
As it states, the authenticator valve must be attached to the context,
not the host.
Just put your valve at host level and it should be called before the
authentification valve which is automatically added to the context.xml
at deployement.
Also, take a look at single sign-on valve which doe a
