[ https://issues.jboss.org/browse/SECURITY-808?page=com.atlassian.jira.plug... ] Lorenz Froihofer commented on SECURITY-808: ------------------------------------------- Tracked down the issue a little bit further (picketbox-4.9.2.Final in Wildfly 9.0.1.Final): JBossCallbackHandler.getPassword() falls back to try the dynamic invocation of a method named "toCharArray": {code:java} Method m = credential.getClass().getMethod("toCharArray", types); Object[] args = {}; password = (char[]) m.invoke(credential, args); {code} This fails with a NoSuchMethodException for a RemotingConnectionCredential object as this class does not offer such a method. The exception handling just tries to create a credential by using the "toString" method on the credential object (the RemotingConnectionCredential) - leading to a String such as org.jboss.as.security.remoting.RemotingConnectionCredential@22341334 instead of the real password. As far as the code looks like, the RemotingConnectionCredential should allow for a callback to get the password, but looking at it or the wrapped Connection class, one can only get the username through org.jboss.remoting3.Connection.getUserInfo(), but no password. This seems to be a more general issue not only related to the DatabaseServerLoginModule but to custom login modules as well: https://developer.jboss.org/message/866429 -- This message was sent by Atlassian JIRA (v6.4.11#64026)