From my reading of the spec, the problem is as follows:
Expires is not a valid directive according to the RFC, though it is mentioned for backwards compatibility with netscape draft spec. When httpclient sees "Expires", it parses according to the netscape draft spec, but note from RFC2109:
and note that AuthenticationFilter puts quotes around the value:
So httpclient's parsing appears to be kosher.