Currently HORNETQ-508 is unresolved, and it doesn't appear as if it will be resolved any time soon due to the current threading model.
Do you have both allowClientLogin and authoriseOnClientLogin set to true on the JBossASSecurityManager in the hornetq-jboss-beans.xml? If so, can you outline your exact configuration and steps/code to reproduce the issue?
Ah, sorry, I looked at the Fix Version attribute. From what I remember, we tried different combinations of true/false for both of those configuration parameters and nothing appeared to work. We attached a debugger to the AS to determine that the REST request thread that had the credentials was not passing it to another thread. I'll see what I can do when I get back to work about gathering the info.