In version 9 BMC introduced the REST API. Rather than using Mid-Tier/Tomcat the API uses a dedicated web server called Jetty which is integrated into AR Server. Jetty allows you to connect via HTTP and HTTPS but other than that the possibilities of configuration are very limited. Going forward, Innovation Suite will also use Jetty as its web server, so it's becoming more prominent.
The reason for the configuration limitation is that the Jetty integration BMC is currently using is not a full feature web server, a lot of the more advanced settings are not available. For example if you want to use Basic Authentication, CORS filters, change the web server name in the HTTP response, etc, that's not possible in Jetty.
One way to achieve this would be to use the full version of Jetty, but since it's all integrated into AR Server it's still difficult to configure. The documentation isn't always that clear and the integrated version works differently. You'd have difficulties with realms, file locations, etc. I also suspect the performance might be impacted.
I propose a different setup: use a dedicated web server like Apache or IIS and use Jetty only as the JSP engine, connect the two servers via the AJP connector. A web server like Apache is a more mature product and it allows you to add these configurations a lot easier. On the Jetty side we'd need to enable the AJP connector and configure Apache to redirect the traffic to Jetty.
This is currently not possible as the version of Jetty we use does not include this functionality, but that's just a matter of shipping ARS with the correct JAR file and update the documentation. You can enable the AJP connector on Jetty as follows: Jetty/Howto/Configure AJP13 - Eclipsepedia .