Those options are defined by the
servlet specification, not in the Java language, so no - nothing has changed with Java 6 (or 7, or 8).
Basic auth is very weak indeed, don't use it unless you're also using HTTPS. But then it's a secure option, although more useful for REST API calls - the dialog box that pops up in browsers is an uncommon sight for users, and should be avoided.
As for form auth - used in conjunction with HTTPS that, too, is secure. (The fact that is doesn't use encoding is irrelevant - that doesn't provide any security.)
You raise the important point that
encryption is separate from
authentication, which in turn is separate from
authorization (the latter leading to the
getRemoteUser and
isUserInRole methods of HttpServletRequest).