Yes. That's right. If you add "Authenticated" to admin user from jmx-console and logging in jmx-console as admin, than you can go everywhere in JBoss Portal because you are in both roles "Admin" and "Authenticated". That's correct. My interest is in situation, when you are only in "Admin" (or maybe "User") role but not in role "Authenticated". That's the problem from my point of view. Imagine another situation: The default portal is configured normally so everywhere can see it. If unauthenticated user (unchecked guest) goes to http://localhost/portal he sees the default portal page and when he clicks to 'News' link, he is redirected to http://localhost:8080/portal/portal/default/News and he can see the News page of default portal. But when admin user from jmx-console, (is logged in jmx-console and is only in "Admin" role but not "Authenticated") goes to http://localhost:8080/portal, he can see the default portal page, but when he click on News link, he is redirected to URL: http://localhost:8080/portal/auth/portal/default/News and he has '403 forbidden' page. So this user has defacto less privileges then completely unauthenticated guest user. This behaviour is a little out of logic from my point of view... Maybe I am a little paranoid and this is not as important ;-) But from my point of view, the behaviour in situation when you are in role "Admin" (or "User") and not in "Authenticated" is not logical. Solution may be to inform our customers that for correct usage of Tomcat SSO Valve, they must have users in their web applications in both roles "Admin" and "Authenticated" (or "User" and "Authenticated" for normal non-admin users). View the original post : http://www.jboss.org/index.html?module=bb&op=viewtopic&p=4227431#... Reply to the post : http://www.jboss.org/index.html?module=bb&op=posting&mode=reply&a...