I request that this version of JBossUserRealm be included in the baseline code. All I did is remove the restriction that a user's credentials must be a string. The code modification does not seem to have any effect on the standard authentication approaches; in particular, BASIC authentication through the web still works. However, with this change CLIENT-CERT authentication works also; without the mod, you can't get a client certificate into the JAAS authentication/authorization process.