OK - thanks to this post http://jboss.org/forums/thread.jsp?forum=49&thread=3142
Things are now validated against my users.properties file.
I have put the users/roles.properties files into the WEB-INF/classes directory of my war.
I had upgraded to jboss3.4.3/jetty126.96.36.199 - which gave more debug info - but then actually failed to accept valid user/passwd - ClassCastException in isUserInRole.
So I went back to my version above - and voila - it works!!!
Although only the first 3 chars of the realm name seem to be used - as the client has to use only the first 3 chars in the credentials...