In JBoss AS 7.1.1, if a user provided ServerAuthModule provides a GroupPrincipalCallback, this is ignored by WebJASPIAuthenticator. The provider handler copies the GroupPrincipalCallback, but the authenticator then does nothing with it. Simulteanously, if the ServerAuthModule does not provide a PasswordValidationCallback to the handler, then this will result in a null pointer exception in the authenticator.

I wonder is this is correct? Reading about JASPI/JSR 196 it seems a GroupPrincipalCallback should be processed when provided and a PasswordValidationCallback should not be required.