Are you saying that you tried both getRemoteUser and getPrincipal, and that neither of them returned a cleartext username? That would be a violation of the Servlet API, so I think you might be doing something wrong.
Where (e.g., database, LDAP, ...) does WL look for its username/password information?
You should be able to access that user directory by some other means to get at the password (of course, the password might be hashed in that directory, in which case you won't be able to get at it in cleartext). But since the user is authenticated already, wouldn't it be sufficient to just pass along the username?