Well, let me try to address both questions with a few thoughts you might consider:
The Realm concept that most application servers (Glassfish, WebLogic, JBoss, WebSphere....) implements are backed by the security specification of Java EE, which "defines" the minimal requirements and unfortunately most of them has it's own proprietary implementation, but at least following the spec guidance (Deployment descriptors, user/group, authentication and authorization concepts, etc...)
It's possible to implement custom authentication mechanics as some people do with Servlet filters, for example. On every request the filter check some session information against a DB and etc, but I still prefer the Realms concept since most containers offers more fine grained control for authorization/authentication.
On the tutorial we setup a JDBC Realm to be used on the Duke's Forest case study using JSF, which you can check as an example.
http://docs.oracle.com/javaee/7/tutorial/doc/security-advanced003.htm#BABEJJDE
Hope that helps.