When a wrong password is in use, even if the Authentication verification callback returns false, the logic of the custom mechanism continue instead of returning. In case of a valid Authorization group, the reply is considered complete.

We can see in the documentation that a wrong password (hard coded to `password`) is in use.

A return seems missing there: https://github.com/wildfly/quickstart/blob/main/http-custom-mechanism/custom-module/src/main/java/org/jboss/as/quickstart/http_custom_mechanism/CustomHeaderHttpAuthenticationMechanism.java#L100