A project-default.yml fie like the following:
results in all of the web configuration being ignored because of the check for a known auth method among the 4 hardcoded in the org.wildfly.swarm.undertow.runtime.HttpSecurityPreparer. If an equivalent configuration is passed in via a WEB-INF/web.xml, the method is allowed. Since undertow has an extension mechanism that allows for deploying custom authentication mechanisms in the deployment war, I don't see the point in trying to validate it here.
I would propose to just remove validation of the auth-method altogether. If acceptable, assign this to me and I'll create a pull request.