FYI, we ended up finding a solution to the problem above, but it required us to use Apache HTTP Server rather than Tomcat to secure the URLs and cache the Basic Auth credentials (since Tomcat apparently cannot do so) and configure Tomcat to respect the other component as the trusted source of principal information.
In detail: - remove all security constraints from our Tomcat webapp's web.xmlfile - install Apache HTTP Server to front Tomcat and configure Apache to secure the same paths that Tomcat had previously secured - configure Apache to cache Basic Auth credentials for 10 minutes at a time - configure Tomcat so that when you call HttpServletRequest#getRemoteUser(), Tomcat gets the info from Apache (this is invisible to the calling code) -- - Bill
