1) This question should go to the user forum....
2) Yes its the expected behavior. Portlet and Servlet exist in the same web application, so you can for example share session between them (PortletSesion is a wrapper around HttpSession) in application scope. But remember that Portal is also separate web application itself. So when you log in you authenticate against portal web app - not portlet web app. Communication between portal and portlet is done by instrumenting portlet web app with special servlet and context dispatching.
If you need to validate that user is authenticated, store some kind of token into PortletSession and try to obtain it from HttpSession in your servlet.
First, Thank you very much for your response. Next, sorry for posting in the wrong forum.
I have thought of the solution that you have proposed. It's doable, just not as clean, I guess.
I just think it's kind of strange that the portal web app and portlet web app can share session, but not user's credential . BTW, does the JSR 168 explicitly say that the portal web app and portlet web app cannot share user credential? I tried to search for that but can't.
Director of Development
the other solution is to enable SSO in tomcat.