If an authentication fails, the thrown javax.security.auth.login.FailedLoginException has a detailed message, which says "Password Incorrect/Password Required" or "No matching username found in Principals". These are pretty good information for an attacker, since than it knows, where to continue its attack and is able to skip a lot of tasks (no matter, whether it comes from the internal or external network - in our days, attacks from internal is probably the most common case).

Actually, that's also the reason, why many authentication systems just insert even a delay to not let the attacker guess, whether the guessed username was wrong or the guessed password (minimal, but measurable delay dueto en/decryption) ...

So, logging those details might be ok, but revealing those infos to the client is without any doubt a security issue!