the security domain is already defined in the deploy/profileservice-jboss-beans.xml: | <!-- profileservice secureview application-policy definition --> | <application-policy xmlns="urn:jboss:security-beans:1.0" name="profileservice"> | <authentication> | <login-module code="org.jboss.security.auth.spi.UsersRolesLoginModule" flag="required"> | <module-option name="unauthenticatedIdentity">nouser</module-option> | <module-option name="usersProperties">profileservice-users.properties</module-option> | <module-option name="rolesProperties">profileservice-roles.properties</module-option> | </login-module> | </authentication> | </application-policy> | and this refers to the profileservice-*.properties found in the root of the profileservice-secured.jar deployment: | [573][valkyrie: deploy]$ ls profileservice-secured.jar/ | META-INF profileservice-users.properties | profileservice-roles.properties | Updating the users/roles there is what you need to do. We probably should be reporting some kind of warning when two deployments are creating the same security domain. View the original post : http://www.jboss.org/index.html?module=bb&op=viewtopic&p=4228464#... Reply to the post : http://www.jboss.org/index.html?module=bb&op=posting&mode=reply&a...