Ok, I've fixed my own problem.
I updated to update 15, and discovered that it now works. The reason?
The old jre/lib/security/java.policy file had been set with
permission java.security.AllPermission;
as the last line (for another system's use).
Removing that openness triggers GF to pay attention to authentication requirements.
Thanks to those who've taken the time to look at this issue.
Ben
[Message sent by forum member 'benk' (benk)]
http://forums.java.net/jive/thread.jspa?messageID=266741