request.getSession(true); creates session and login()authenticate user that are 2 different things.
If I leave out the request.getSession(true);, subsequent requests to protected resources fail with a 403.
Because you need to create a session.
I don't need to explicitly create a session for form based or BASIC authentication.
The spec (13.3) says:
The login method allows an application to perform username and password collection (as an alternative to Form-Based Login).
Containers may create HTTP Session objects to track login state.
This led me to believe that login state will be tracked between requests.
I know that WebSphere, for example, does not use the HttpSession for tracking login state. It uses a separate cookie instead.