The issue is that Jetty avoids creating a lot of garbage by looking up such common strings in a StringTrie directly from the bytes received.
I will look at making this optional, but for your authentication mechanism I would think it is very delicate if it is relying on case insensitive fields being case sensitive. While the servlet spec does imply that we should return the exact characters, there is nothing stopping a proxy or any other intermediary rewriting headers to semantically equivalent ones. Indeed you may even go via a binary protocol (AJP13 or SPDY) that tokenises headers and thus also changes their case.
Is it possible for you yo make your mechanism do lower case conversions before calculating any hash values on case insensitive data?