Found a way by using Authenticator to set an attribute to HttpSession in Request object and getting back the attribute in Authorization Delegate class via WebResource's getServletRequest()
Still couldn't find a way for Authentication Module to do this.
Said too soon, the EJB Authorization Delegate could not retrieve Request object since the Resource instance is that of EJBResource
Anyway for the EJB Authorization Delegate to retrieve the Request object?
Anyway to pass something to the EJB Authorization Delegate from Authentication?
Workaround the problem by using custom Principal in Login Module.