For some reason wagon 2.0 ignores the return code and since the original AuthStaticFileHandler would return the static file regardless the test would pass. Switching back to wagon 1.0-beta-7 (which comes with Maven 3.0.3) exposes this problem as it does abide the return code.

Given http://www.w3.org/Protocols/rfc2616/rfc2616-sec10.html#sec10.4.2 it is clear that the handler is implementing authentication incorrectly since it must include a WWW-Authenticate header field in the response.