This is a usage issue that has shown up in the past where there is switching between char[]/String forms of a credential:
http://jira.jboss.com/jira/browse/JBAS-3287

The current logic is very strict about matching the input credential against that in the cache. Since there is no ambiguity in moving between String/char[] (unlike String/byte[]), I don't see why we should not support a check for a String/char[] mismatch on credential type and try a char[]/char[] comparison after obtaining the char[] from the String.