On the following wiki page http://wiki.jboss.org/wiki/BaseCertLoginModule you'll find the following example: <application-policy name = "jmx-console"> | <authentication> | <login-module code="org.jboss.security.auth.spi.BaseCertLoginModule" | flag = "required"> | <module-option name="password-stacking">useFirstPass</module-option> | <module-option name="securityDomain">java:/jaas/jmx-console</module-option> | </login-module> | <login-module code="org.jboss.security.auth.spi.UsersRolesLoginModule" | flag = "required"> | <module-option name="password-stacking">useFirstPass</module-option> | <module-option name="usersProperties">jmx-console-users.properties</module-option> | <module-option name="rolesProperties">jmx-console-roles.properties</module-option> | </login-module> | </authentication> | </application-policy> | As the text states, the user is authenticate using his certificate and the rest if his principal object is populated by the UserRolseLoginModule (the UserRolesLoginModule adds the authenticated users roles). This trick unfortunately doesn't work with the LdapExtLoginModule. The user is properly authenticated by the BaseCertLoginModule and because of that the LdapExtLoginModule returns successful without adding the users roles. This is inconsistent. View the original post : http://www.jboss.com/index.html?module=bb&op=viewtopic&p=4154838#... Reply to the post : http://www.jboss.com/index.html?module=bb&op=posting&mode=reply&a...