1. Using the javax.net.ssl.trustStore javax.net.ssl.trustStorePassword properties to poing to the keystore to use as the trustStore.
2. You don't without custom integration with the web container. The user credentials are not part of the servlet api.
For what it's worth, you could use a custom org.apache.catalina.Valve for Tomcat to grab the user's credentials during the login request and stuff them in the session or something where a servlet could access them later. It wouldn't be as complex as customizing the entire web integration -- just implement a tiny valve and add it to jbossweb-tomcat41.sar/META-INF/jboss-service.xml