Tomcat implements J2EE standard container-based security, and that standard has very strict requirements. Specifically, 2 and only 2 parameters are supported as part of an authentication (login) request, and while security professionals have their own terminology, the rest of us call these parameters "userid" and "password".
It makes for a very simple unconfusing user interaction, since the user doesn't end up in situations where privileges assigned in one login mode or context aren't available because the user logged in using another context and because there's never any doubt of which context the user is operating under when problems arise.
I'm not sure if this has any bearing on what you're asking, since I'm not sure what the "multiple modules" thing is supposed to be about, but I figured I should mention it, since some people do ask questions like that.
Incidentally, I think that quite a few people have gotten the idea that J2EE container authorization is JAAS. It isn't. JAAS is just one of the many authentication mechanisms that are supported under the façade of J2EE Container-Managed Authentication and Authorization for Tomcat.
Looking at the question from another direction, Tomcat 6 has an Aggregating Realm that allows multiple Realms to manage user accounts. It's especially useful for situations such as public/internal webapps, where in-house user accounts are defined in LDAP/Active Directory and public user accounts are defined in a database. You can also use this to combine several JAAS Realms, if that's of any help.
JAAS itself is much more fine-grained than J2EE container-managed security, and I'm not as well-versed in it as I would like, since I haven't needed the extra power lately.
Customer surveys are for companies who didn't pay proper attention to begin with.