Get username of client who connected to web server
You need to set up the Spring Security Kerberos extension - this is the only out of the box way to do what you're describing in Spring Security 3. This supports SPNEGO negotiation, but requires some amount of setup on the server (and knowledge of how SPNEGO and Kerberos works).
There's not much documentation - but Mike's sample applications that he ships with 1.0M2 are great, and cover most of the common scenarios, including automated SPNEGO authentication.
The key thing for SPNEGO is to set up a custom AuthenticationEntryPoint - you'll need to do this with a custom spring bean as follows:
<bean id="kerbEntryPoint" class="org.springframework.security.extensions.kerberos.web.SpnegoEntryPoint" />
<bean id="kerbAuthenticationProcessingFilter" class="org.springframework.security.extensions.kerberos.web.SpnegoAuthenticationProcessingFilter">
<property name="authenticationManager" ref="authenticationManager" />
</bean>
... there are more beans that'll be required besides these (again, refer to the samples w/the Kerberos extension). Post back if you get further along with Spring Security or if you want exact details (since there are a number of beans / config bits involved, some knowledge of your configuration would be helpful, such as whether you are using the <http> namespace style or not).
Other than this option, you would have to set up a similar type of SPNEGO auth (such as using WAFFLE, as you suggest) - other SO questions cover this pretty well.
Finally, you could possibly front Tomcat with another web server which supports SPNEGO or NTLM better, such as Microsoft IIS or Apache Web Server with mod_spnego.
Hopefully one of these ideas would work for you!
What browser are your users using? If IE; there is a simple solution:
<html>
<script type="text/javascript">
var WinNetwork = new ActiveXObject("WScript.Network");
alert(WinNetwork.UserName);
</script>
</html>
The latest way for Windows to do it is SPNEGO. To make it work fully you need you server to have an account in AD, and communicate with Kerberos. Then Spring Security, I was told, supports this.
Now, not always you need to authorize users. Sometimes (e.g. for stats reasons) it's enough to get the AD id of the user. When I was playing with SPNEGO, the binary data that was passed from browser were including the user id in clear text. It can be extract from there, but cannot be trusted of course.
NTLM is outdated, considered less secure, and largely rolled out from the environments.