There is something strange with web container authentication and Anonymous user.
I have two interesting cases (mightbe it requires two different bugs).
The base situation is the following. Configure hudson under a Java EE container
(I use Glassfish). Start hudson and configure it to enable security with
container based authentication and project matrix based authorization. Also
configure a user with administrative role from the container security realm.

Case one:

• Leave the Administrative role on Anonymous user. I've done it with the
  reason, that if something goes wrong with the domain authentication I still can
  fix the security settings. After testing the security I had wanted to revoke
  admin right from anonymous.
• The result on login is IllegalStateException prior #4822
• The result is 404 on page j_acegi_secutity_check after #4822

Case two:

• Rewoke all rights from Anonymous user.
• Well this leaded to IllegalStateException prior #4822 after fixing that
  issue hudson is looping on noPrincipals
• The workaround is: type <site>/hudson/login in the browser and login with an
  administrative user and grant Anonymous user an overall read permission.

Conclusion: Right now with container based security Anonimous user is required
and it shall have only overall read permission.