Hi, I have very basic setup: 1) REST endpoint NOT annotated with @Secure from aerogear-security 2) service in that REST endpoint method which does some operation on database, methods of that service are NOT annotated with @Secure from aerogear-security 3) methods in DAO class which are called in that service methods (DAO is injected into service), some methods of that DAO class ARE annotated with @Secure annotation. When I am testing this setup manually, all works ok. When I login as admin, after that, I can call that REST endpoint which in turn calls service layer which in turn calls DAO layer annotated with @Secure. I do this with CURL and I get what I expect. However, when I am doing it like this: https://gist.github.com/smiklosovic/fe5838598a524afdb775#file-gistfile1-j... it seems to me that when I do login in the first method, I should be authorized to do that (200 is returned, cookies are returned, all is good, I am logged in) but I am not from LinkDao point of view. When that 2nd test runs, it fails and it ends up with AeroGearSecurityException - not authorized. Why? It is interesting that it works "in one run" meaning I do that from REST point of view but when I inject LinkDao into test, I should have the very same container reference of it as in case I am doing it rest-like on the command line so it should be the same - and that is apparently not the case. How is picketlink related to aerogear-security regarding of sessions? And what kind of reference do I get after injecting it into test? Why is not that DAO class aware of my authorization? It seems that when I inject it into test, that DAO is not aware of previous steps regarding of the authorization. Thank you for any hints Stefan Miklosovic Red Hat Brno - JBoss Mobile Platform e-mail: smikloso(a)redhat.com irc: smikloso _______________________________________________ aerogear-dev mailing list aerogear-dev(a)lists.jboss.org https://lists.jboss.org/mailman/listinfo/aerogear-dev