As my Mod handles the Users Password which could be accessed via Reflection i have made the handlerclass package-private
As other mods can declare a class in that package they can access the "secure" classtherefore i turned on the path-seal vie the MANIFEST.MF
but i get an error: "\minecraft\mods\ReAuth-1.4.jar has a security seal for path reauth, but that path is defined and not secure" and i can still declare classes in that package from a different jarfile which should be disabled by the seal
I really just want to commend you for thinking properly about security, but I can reply to the question too.
I suspect the way Minecraft Forge loads mods is breaking some of the .jar security features. You might be able to seal the package somehow, but it's never truly safe. Java's access modifiers are not created for security, they are created for improved code structure and simplicity. The sad truth is as long as you deal with the password in cleartext, there is always a way to get around and access it. For instance, someone could intercept the ClassLoader and modify the code in your password handling class, maybe grab the string from the garbage collector, etc.