I've run into this from time-to-time, and usually not had to bother with it as authentication usually happens within an application, but on this project I'm trying to enforce the SSO a bit more, so I needed to get Apache to pass Tomcat the user that it has used to authenticate. Should you need to do the same, here's the two-word solution.

Well, more than two words to describe it, but the solution is really two words.

<Connector port="8009" protocol="AJP/1.3" redirectPort="8443" tomcatAuthentication="false"/>

In the Tomcat conf/server.xml (or wherever you may have configured yours to be), there's an AJP connector defined. In that connector definition, add the attribute tomcatAuthentication and set its value to false. This will allow Tomcat to accept the user information from Apache. If no user has authenticated, no user is passed through, which is the default.

Why isn't it the default to get the current user from Apache? I dunno.