Higher versions of Tomcat supports JAAS as one of the authenticate realms. In that case they might be storing the password as credential in the subject. Not sure on this.What might be the reason to look for password after the authentication has passed.
The point of container-managed authentication is that it's container-managed; it provides no access to the details, beyond the Principal (which includes the username but not the password).
If you really need to do this, and are up for a bit of hacking and a Tomcat-only solution, then this article (written by -ahem- myself) tells you how to get access to the Realm, and how to alter it to get at the password.
What is the purpose of accessing the password?
That's a very big dog. I think I want to go home now and hug this tiny ad: