There is a mismatch between the initial authentication of a web request against the security domain associated with a web app and subsequent validation of the session credentials that cause the login modules to be executed twice. The first time a char[] password is used while subsequent authentications use a String password.