In Fuse 6.x, we could define an embedded jetty endpoint in Karaf, this jetty endpoint has some security related jetty handlers which can extract username/password from incoming http message with Basic Auth, and then delegate the authentication to JAAS service in Karaf(the karaf realm). Atached is a code snippet with the example.

On Fuse 7.x, the same should be achieved on the servlet component, and the security related handlers should be configured at servlet level, as I understand that the same could be achieved on jetty or undertow component, but they are not the best choice