When a property is updated (with property.setValue), the credentials are never checked. AbstractJcrProperty (or its set of sub-classes) seems to be missing any credential check.

I'm assuming this is by design, but this seems to be a security loophole.