Currently, authentication is done at the Jersey layer. However, the request log is written using data at the Jetty servlet layer. When data is put into a security context to show a request is authenticated (at Jetty layer), the principal isn't in the request log. This means there's a bunch of extraneous and easy to miss logging statements.

A portion of the authentication should move to the Jetty servlet layer so the principal can be shown in the request log.