The REST server doesn't handle authentication very efficiently:

• it always checks for authentication even when it's disabled
• it obtains the authenticated Subject from the realm on every request

we should optimize it as follows:

• move authentication to a dedicated channel handler which is installed only when enabled
• keep the authenticated Subject in the authentication handler, as well as any headers required by the mech in use to quickly validate the request and skip interaction with the security realm for keep-alive connections