Good Day cchoi,
In the Tomcat servlet container, an authenticated entity is stored as a Principal in the Session. This principal is really an extension of java.security.Principal that also stores an array of String "roles". On every request (if a web app has configured to use Container Managed Security), a check is made to see if request has a security constraint, if there is a Principal , and if the Principal has the role configured as constraint.
If your Tomcat server is embedded in JBoss, then this principal and the original credentials (i.e. password) are sent with each request to EJB Container. You can look at the org.jboss.web.tomcat.security.SecurityAssocationValve for more details.
As well, you should read Chapter 8 of the server guide
hope this helps clearify, cgriffith
Thanks for reply, cgriffith :)