diff --git a/modules/server/src/main/java/org/jboss/wsf/stack/cxf/security/authentication/SubjectCreator.java b/modules/server/src/main/java/org/jboss/wsf/stack/cxf/security/authentication/SubjectCreator.java
index 3bc595e1a..57c8b5bf7 100644
--- a/modules/server/src/main/java/org/jboss/wsf/stack/cxf/security/authentication/SubjectCreator.java
+++ b/modules/server/src/main/java/org/jboss/wsf/stack/cxf/security/authentication/SubjectCreator.java
@@ -182,7 +182,11 @@ public Subject createSubject(SecurityDomainContext ctx, String name, String pass
             }
             if (isDigest && created != null && nonce != null) { // username token profile is using digest
                // verify client's digest
-               TwoWayPassword recoveredTwoWayPassword = identity.getCredential(PasswordCredential.class).getPassword(TwoWayPassword.class);
+               PasswordCredential passwordCredential = identity.getCredential(PasswordCredential.class);
+               if (passwordCredential == null) {
+                  throw MESSAGES.authenticationFailed(principal.getName());
+               }
+               TwoWayPassword recoveredTwoWayPassword = passwordCredential.getPassword(TwoWayPassword.class);
                if (recoveredTwoWayPassword == null) {
                   SECURITY_LOGGER.plainTextPasswordMustBeRecoverable(principal.getName(), null);
                   throw MESSAGES.authenticationFailed(principal.getName());