The lack of logoff ability (short of closing the browser) is one issue. You also have to pass the auth headers with each request, instead of having auth linked to a session (is this true with jboss? I don't know for sure.)
And for customer/user facing applications, having a login form integrated within your design is usually preferable.
Those are my thoughts at any rate...