There is a bug in the default authentication service delivered with Kuali Coeus 1.0. If the log level is set to 'debug' and password authentication is turned off, you will get a nullpointer exception. The default log level out of the box is 'info'; if you haven't edited the log4j.properties file included in the project, make sure there is not another log4j.properties on your classpath (ie from your servlet container). (This is fixed in release 1.1.)
To turn off the backdoor user login functionality, the 'environment' and 'production.environment.code' parameters in kra-config.xml should match. This will also enable the password field on the default CAS login screen.