All 4 are
defined in the servlet spec, as a quick read of the "Security" section will show, but that's not the same as being required to be implemented.
DIGEST is not required for servlet containers, and CLIENT-CERT is optional for servlet containers (but mandatory for
JEE containers).