I just lookup the servlet spec....It looks like this isn't working with tomcat..? Anyone know how can I share the users principal in different web application in the same security domain without re-authenticate again?

SRV.12.6 Server Tracking of Authentication Information
As the underlying security identities (such as users and groups) to which roles are
mapped in a runtime environment are environment specific rather than application
specific, it is desirable to:

1. Make login mechanisms and policies a property of the environment the web
application is deployed in.

2. Be able to use the same authentication information to represent a principal to
all applications deployed in the same container, and

3. Require re-authentication of users only when a security policy domain boundary
has been crossed.
Therefore, a servlet container is required to track authentication information
at the container level (rather than at the web application level). This allows users
authenticated for one web application to access other resources managed by the
container permitted to the same security identity.