I'd like to avoid filters because in that case I need to check each request for such a simple thing as putting user id into session, instead of doing it once at the login time.
Why would you need to do the auth over and over again, just because it's located in a filter? If the session already contains auth info, you can just skip over the JAAS part.
I'm thinking of passing a request as a parameter to CallbackHandler
It would be a better design not to pass the request, but the values (username, password, etc.) it contains. That way you can reuse the auth logic outside of a servlet environment.