Your application have some authentication
not an issue sometime token is required and you add in your script.Sometime, certificate also required which you have to add in setting
Now, come to your question,
1> Yes, this is correct way, if your application have provide some authentication , you can easily ask to developer it they remove it or not,If not then you have to add token
>> use corelation -add -regular expression extractor
2>For multiple user with different login , you have to use parametrization (thread group-add- csv data set config file)
>>In which you add user with different username & password and save it in bin folder of your apache jmeter software and pass the directory url in "csv data set config" and when you make script note down you have to user same username & password.