As far as I remember, redirecting always creates new sessions and forwards retains the session/request info. Can't u use mod_jk as a connect b/w Apache and Jboss/Tomcat?
Thanks for the suggestion.
This was remedied by putting all of the servlets, and not just the first one which did an initial authentication, into the <web-resource-collection> of the web.xml of the JBoss web application. The remote user information is now available to all of the servlets which need it (as long as they are in the <web-resource-collection>). It seems that the request's Principal gets passed around only to those servlets which are designated as protected in the web.xml.