Did you find solution for this problem? I'm facing similar challenge. I tried removing security filter entry in web.xml of jbpm-console. It helps in getting rid of authentication layer, but the problem is, few rest api calls are stateful and they fail if we remove auth layer.
Have you considered upon security if you bypass the auth layer? In my case, my custom app and the jbpm console, both will be behind a firewall. I'll provide authentication from my custom app and jbpm console rest api will be reachable only from my custom web app.