This may not be your only problem, but the request you're testing with... https://example.com/api/xml?action=login&external-auth=use ...will not be handled by the header authentication filter. It's configured to be ignored by this stanza in the web.xml:-
<param-name>ignore-pattern-0</param-name>
<param-value>/api/</param-value>
Try with the standard login page. If you still have troubles, it might be worth excerpting the relevant lines from the debug log.