It appears that you do NOT require single sign-on for users. In that case, you do NOT need NTLM or Kerberos. All you need is server-side authentication with Active Directory.
Fortunately, AD exposes itself as LDAP, with a few quirks. Please view this answer: Configuring Tomcat to authenticate using Windows Active Directory
If you configure the realm and the container (Tomcat) authentication against AD properly, you should not need to retrieve the headers or write any code to do the authentication - the container (Tomcat) will do it for you.
Edited:
Web XML sample:
<security-constraint>
<web-resource-collection>
<web-resource-name>Wildcard means whole app</web-resource-name>
<url-pattern>/*</url-pattern>
<http-method>GET</http-method>
<http-method>POST</http-method>
</web-resource-collection>
<auth-constraint>
<role-name>user</role-name>
</auth-constraint>
</security-constraint>
<login-config>
<auth-method>BASIC</auth-method>
<realm-name>default</realm-name>
</login-config>
<security-role>
<role-name>user</role-name>
</security-role>