The user's password? Where would that be filled in? In a form? If you do not want to persists it and want to use digital signatures, then why request it in the first place??? It is easier to build your own webapp and do with the password you want than to change/adapt jBPM either by interceptors or whatever.
The user's password would be filled in when providing the information to complete the task. 21CFR11 requires the user to provide username and password at the time of performing the task. this ensures that the person that signed off is the user that is logged in. Unfortunately I have almost no control over the client, since I am using an instance of jBPM that is embedded in another application that handles the client for me. Thus, I need to be able to make this change inside of jBPM
Since I'm from europe, I do not know much about 21 CFR 11, but it also states 'digital signatures' as do you. I do not see that relation here and not to storing the passwords. But...
There is always an api between the client and the server. ... I would solve it there, not just before storing the password.