Using the OAuthAuthenticationServerValve as described in http://docs.jboss.org/resteasy/docs/3.0.9.Final/userguide/html/oauth2.html#d4e1516 causes an authentication error when a user's password contains a : character.

This is due to the following code in basicAuth():

      String[] creds = BasicAuthHelper.parseHeader(authHeader);
[...]
      String username = creds[0];
      String password = creds[1];
      GenericPrincipal gp = (GenericPrincipal) context.getRealm().authenticate(username, password);

BasicAuthHelper.parseHeader() just splits the header string by ':' (after base64-decoding). If the user's password contains a ':' character, the returned String array contains more then 2 entries, with the password split across multiple strings. The code fragement above only uses creds[1] as the user's password, thus discarding part of the password sent as HTTP header.

I've observed this in 3.0.9.Final - looking at the code, this appears to be an issue in subsequent releases, too.