I think web.xml is often overlooked for a great many configuration options. Personally, I’m guilty of limiting my use of the deployment descriptor to servlet, filter and tag configuration. I don’t like to see the file get messy I guess.
This article talks about the authentication configuration options that can be used in web.xml. This was something that I usually took care of in the web server configuration, not so much in the application server layer…but it looks like there are quite a few options here.