If the password happens to be set first before the user then the connection will fail.

The problem occurs in the config() method...

  private void config() throws SQLException {

    if (url == null) throw new SQLException("url not set");

    conf = Configuration.parse(url);

    if (loginTimeout != null) conf.connectTimeout(loginTimeout * 1000);

    if (user != null) {

      conf = conf.clone(user, password);

    } else {

      user = conf.user();

      password = conf.password();

    }

  }

If the password is set before the user (i.e. user is null when config() is called) then the statement

      password = conf.password();

overwrites the password with null (assuming that there is no password in the URL).
Any subsequent call to getConnection() will likely fail because the connection will be attempted without a password.

In Payara/Glassfish the order of setting of the connection properties is governed by the code in com.sun.gjc.common.DataSourceObjectBuilder.constructDataSourceObject() which uses reflection to discover the driver's properties. The methods are invoked in the (arbitrary) order of discovery, so the order is not controllable by the user.
It depends on what the eventual result should be as to what the solution is. Should parameters in the URL take precedence over explicit property settings?