I don't know why Tomcat 5 and Tomcat 6 should be different, there, but I can make some observations about the viability of this technique:
1. BASIC authentication isn't very secure. The userid and password are "encrypted" by one of the most feeble algorithms out there. The only thing that makes BASIC authentication even viable is running it over SSL.
2. About the only way to reliably log out of an app running BASIC authentication is to shut down your browser. I normally have half a dozen different browser tabs open at any given time, so that's not pleasant.
3. The Apache security system is designed to secure Apache apps. It isn't the best fit for
Java webapps. For example, it doesn't support role-based access control, and it doesn't enable the
J2EE built-in security functions.
The secret of how to be miserable is to constantly expect things are going to happen the way that they are "supposed" to happen.
You can have faith, which carries the understanding that you may be disappointed. Then there's being a willfully-blind idiot, which virtually guarantees it.