Hi Gil,
Glad to hear you've had success.
1. Yes, it makes a lot of sense: the authentication in the application container/servlet container world has always been a container responsibility. The touch point with the application is the nomination of the realm name in web.xml and any role mappings, or equivalent in annotations. Section 13 Security of the Servlet Specification makes it clear that security is a container responsibility. Not even the programmatic interfaces allow the webapp to perform its own security - the best the app can do is to call back into the container to ask for authentication/authorization. This must be the case because as @gregw pointed out in a conversation, once a user is authenticated by a webapp that user is then trusted by other webapps during a cross context dispatch call.
2. I think we do explain that in the documentation, but perhaps that is only obliquely, and maybe I'm thinking of all the times its come up in emails on the list :) I've added an issue for us to make sure this is stated unambiguously in the doco:
https://github.com/eclipse/jetty.project/issues/2124
cheers
Jan