As usual, within an hour of posting a question on something I've been banging my head on for a while, I think I solved it.
As a quick note, do not modify web.xml (beyond adding the servlet); AFAIK everything in here is for HTTP authentication.
Files are attached. I'll be spending a bit more time seeing if it can be trimmed down a little more.