The reason for the second call is that between the authentication in the web tier and the call to the EJB the username and password could have been set in code to run as a different authenticated user, the switch to use the SecurityDomainContext will cause thise second call to use the same cache as the first call so no second authentication will actually occur and the identity will remain the same - should a username and password be set then the identity will be switched to the new identity, this is also implemented as a stack so as the call returns the state of the stack is restored to the state it was when the call arrived at the EJB.