Actually,
Tomcat is designed to be able to support a central security management system, so the normal way you'd keep people out would be to set up roles for the applications. To (for example) keep administrators from app1 from being able to act as administrators to app2, you'd have to give them different role names (say app1_admin, app2_admin). You can put role aliases in web.xml to keep from having to make major mods to the app itself.
You can also define a separate Realm in each webapp's context, rather than globally (in server.xml) and give them separate username/password files.
The secret of how to be miserable is to constantly expect things are going to happen the way that they are "supposed" to happen.
You can have faith, which carries the understanding that you may be disappointed. Then there's being a willfully-blind idiot, which virtually guarantees it.