Custom GridSecurityProcessor implementation allows optional authentication. With other words, if some credentials are presents then authentication performed, otherwise - not (some restricted SecurityContext returned).
REST API works fine. If credentials are present or the auth request was made then the auth works as desired, if not - it also works but only for some authorized requests.
CommandHandler which is used for controlling a cluster through the CLI script command.sh|bat doesn't respect credential parameters and sends auth request only in case of authentication exception for a regular request. In the described case of optional authentication it never happens, so the result always depends on the "default" Permissions.
Change GridClientNioTcpConnection to always send first an auth request in case of provided credentials.