I can confirm JaasSecurityManager settings:
Looking at the JavaWorld JAAS paper again, I see that subsequent web calls *don't* use the principal object, leading me to think I have to cache the principal in HTTPSession, and using it appropriately there after.
This assumes I can run some servlet/jsp code before the restricted stuff that requires the principal.
Working now - syntax of security-constraint/web-resource-collection/url-pattern was more limited than I appreciated.
Servlet container caches auth details.