JASPIC implementation in JBoss EAP 7.0.0 seems to contradict the javadoc of the ServerAuthModule interface ---------------------------------------------------------------------------------------------------------- Key: SECURITY-958 URL: https://issues.jboss.org/browse/SECURITY-958 Project: PicketBox Issue Type: Bug Reporter: Enrique González Martínez Assignee: Darran Lofthouse The EAP 7.0.0 JASPIC ServerAuthModule framework passes the request policy and response policy objects as null into the initialize() method. The spec and java docs say that both must not be null. http://docs.oracle.com/javaee/6/api/javax/security/auth/message/module/Se... https://docs.oracle.com/javaee/7/api/javax/security/auth/message/module/S... The javadoc and spec says: "The request policy and the response policy must not both be null". Wildfly 10.0.0.Final has the same issue.