Tomcat's Container Managed Authentication mechanism can not be controllded (for a good reason) by a web application. The idea is that the container provides these services to applications. The applications then can ask to use them. Furthermore Java's servlet spec does not specify how a container is to implement these services, only that they must be provided. If you want to alter the way Tomcat does authentication/authorization, then you need to alter the container's security layer. In order to do that, you will need to dig into the Tomcat code to understand how it works. If you need pointers, let me know.
happy coding, cgriffith