Im using LdapExtLoginModule and in the code I can see that it in the validatePassword() method stores the AuthenticationException from failed validation in the super class. Then in the super class UsernamePasswordLoginModule, the AuthenticationException is retrieved again in the login() method and used as initCause() on the FailedLoginException that is thrown out of login(). The problem seems to be that the original AuthenticationException has a resolvedObject set with LdapCtx which is not serializable, and when the FailedLoginException is serialized to be sent over to the client, it blows up with NotSerializableException. View the original post : http://www.jboss.com/index.html?module=bb&op=viewtopic&p=4200293#... Reply to the post : http://www.jboss.com/index.html?module=bb&op=posting&mode=reply&a...