Just to let you know, the second problem is solved.
I don't know why but now it works as expected with:
<page view-id="/*" login-required="true"/>
Concerning the first question I figured out that I can call a session bean which calls Authenticator.authenticate() but calling the Authenticator directly from the view fails (of course) because it is no session bean with a local interface.
Is there a way to call the authenticator declaratively in pages.xml or is there any other opportunity to leave out the login page?
Thanks for your help!