At http://tomcat.apache.org/tomcat-7.0-doc/config/ajp.html the documentation for tomcatAuthentication states as follows: "If set to true, the authentication will be done in Tomcat. Otherwise, the authenticated principal will be propagated from the native webserver and used for authorization in Tomcat. The default value is true." This documentation is incorrect, it should instead read as follows: "If set to true, authentication and authorization will be done in Tomcat. Otherwise, the authenticated principal will be propagated from the native webserver and used for authentication in Tomcat, while all role memberships will be considered false. The default value is true."
With the implementation of tomcatAuthorization this only applied to 6.0.x now.
Fixed in 6.0.x for 6.0.44 onwards.