Security in Tomcat is a lot different than security in the Apache httpd server. There's no directory rules for one thing, only URL rules. And
J2EE supplies a role-based access control model which Apache does not.
The configuration for container-based authentication and authorization is done using the webapp's web.xml file. The actual reference point for the authentication and authorization service provider you wish to use is the Realm configured for your webapp context.
The secret of how to be miserable is to constantly expect things are going to happen the way that they are "supposed" to happen.
You can have faith, which carries the understanding that you may be disappointed. Then there's being a willfully-blind idiot, which virtually guarantees it.