FindBugs found in the 1.6.0-SNAPSHOT branch that SecurityOperation.authenticateSystemUser(TCredentials credentials) does an improper comparison (equals) between AuthenticationToken and byte array.
Additionally, upon visual inspection, it looks like the condition is not'd (missing a ! to throw the exception when the credentials don't match).
The result appears to be that the system user is always authenticated, even if the credentials don't match. I haven't checked 1.5 yet to see if the bug applies there also.