I have managed to find a workaround - to use the password-sharing option of the ClientLoginModule to pass the credentials into the ClientLoginModule as a String instead of letting the ClientLoginModule resolve the password itself via a PasswordHandler where the credentials appear as a char[] instead. This doesn't obviate the need to change JBoss to make credential handling consistent, but at least gets around my immediate problem. View the original post : http://www.jboss.com/index.html?module=bb&op=viewtopic&p=4040026#... Reply to the post : http://www.jboss.com/index.html?module=bb&op=posting&mode=reply&a...