IMHO,HttpServletRequest#login does not need to define a <login-config>. NonLoginAuthenticator is used when <login-config> is not specified in HttpServletRequest#login. When UserDatabaseRealm is used, not GenericPrincipal but Memory User is set to a session. In AuthenticatorBase#invoke, principal registered into a session is set to a request. Because MemoryUser is set to a request as principal, RealmBase#hasRole always returns false. As a result, 403 error is returned.
Created attachment 28427 [details] patch against 7.0 trunk
Fixed in 7.0.x and will be in 7.0.27 onwards.