Minimal working example how to extract current (remote) ActiveDirectory user (without HTTPS) using Tomcat?

Question

I am looking for a minimal working example in java and the appropriate Tomcat configuration files which allows me to extract the UserPrincipal from a client.

After reading various recipes on the topic Tomcat and LDAP I am still struggling with getting my Tomcat to do what I want, namely to make the client send the Active Directory information to my Tomcat server. I managed to configure, understand and test a BASIC AUTH access control, adjusting the usual suspects Tomcat/conf/server.xml and webapp/WEB-INF/web.xml.

For the current LDAP user challenge, the Realm (within host-scope of server.xml) reads:

<Realm className="org.apache.catalina.realm.JNDIRealm" debug="10"
       connectionURL="ldap://me.myserver.net:389"
       userBase="ou=Standard User,ou=Users and Groups,ou=me,dc=myserver,dc=net"
       roleSubtree="true" roleNested="false"/>

Within the web.xml, we have

 <security-role>
   <description>All authenticated users</description>
   <role-name>ldapAuthenticated</role-name>
 </security-role>

<security-constraint>
  <display-name>userConstraint</display-name>
  <web-resource-collection>
     <web-resource-name>LDAP Test</web-resource-name>
     <url-pattern>/ldap</url-pattern>
  </web-resource-collection>
  <auth-constraint>
     <role-name>ldapAuthenticated</role-name>
  </auth-constraint>
  <user-data-constraint>
     <transport-guarantee>NONE</transport-guarantee>
  </user-data-constraint>
</security-constraint> 

The essential java part is probably the following (which runs, but currentPrincipalName stays empty):

public static String ldapGroupService(HttpServletRequest request) {
    String out = "<html><body><h1>{ldapGroupService}/ldap</h1>";
    Authentication authentication = SecurityContextHolder.getContext().getAuthentication();
    String currentPrincipalName = authentication.getName();
    out = out + "<p>The user is '" + currentPrincipalName  + "'.</p>" + "<body></html>";
    return out;
}

Related posts did provide Tomcat configuration, but they did not focus on the issue how to obtain a non-empty Authentification-line in the Response header (to be checked e.g. with F12 in Chrome) from the client.

• How to configure JNDI Realm with Tomcat 7 for PKI User Certificate Authentication?
• Java LDAP - Determine if user in a given group?
• How to configure JNDI Realm with Tomcat 7 for PKI User Certificate Authentication?
• External LDAP JNDI connectivity using Tomcat
• Trying to configure LDAP as JNDI Resource in Tomcat