Are you sure this login configuration is being used for authenticating? Are you doing a programatic login or container managed login? If you are using container managed login, have you configured the security-domain in the jboss-web.xml? What do the TRACE level logs from security package, show? See Q4 at http://wiki.jboss.org/wiki/Wiki.jsp?page=SecurityFAQ to enable TRACE level logs.
its not a bug, its a feature ;-(
you must set this in the loginconfig:
I tried the allowEmptyPasswords option. Works like a charm.