FWIW what I do (in all of the examples I listed), is to create a DS @Component providing a ServletContextHelper service, like so: https://github.com/steinarb/oldalbum/blob/master/oldalbum.web.security/src/main/java/no/priv/bang/oldalbum/web/security/OldAlbumServletContextHelper.java#L22
Then I use the ServletContext resulting from that, both for the frontend https://github.com/steinarb/oldalbum/blob/master/oldalbum.web.frontend/src/main/java/no/priv/bang/oldalbum/web/frontend/OldalbumServlet.java#L46 and the REST API https://github.com/steinarb/oldalbum/blob/master/oldalbum.web.api/src/main/java/no/priv/bang/oldalbum/web/api/OldAlbumWebApiServlet.java#L33 and then the shiro authentication automagically works for both. (The JerseyServlet is my own home cooked wrapper that makes injected OSGi services available as HK2 injected services in Jersey)
