All security realm now provides user-provided username as realmIdentity principal.
That can be problem, if identity search is case-insensitive - for example:

• Lets have filesystem realm on windows - user will write "FIRSTuser", because filesystem is caseinsensitive realm will correctly found "firstUser" - but it can obtain two different NamePrincipals - the same user can act as two different users for application running on AS - it can be security problem
• the same problem can occure if LDAP search is case-insensitive - not sure, but I think this is case of Active Directory
• the same can probably occure for JDBC, if database column is defined as case-insensitive