Setting the security context has to be reconcilled with the security aspect behavior. If you do an explicit jaas login, all that really results is an authenticated subject. Instead of having a ClientLoginModule push this to a thread local, it could associate this info with the mc metadata repository at a request scope. The aspect checking the security context would use the metadata repository to pickup scope starting from the request and moving up to higher levels like deployment, security domain default, etc. Alternatively we could look at Subject.doAs*()/Subject.getSubject(AccessControlContext acc) with validation of the authentication as data in the subject private credentials to better leverage the jaas apis. View the original post : http://www.jboss.com/index.html?module=bb&op=viewtopic&p=3997403#... Reply to the post : http://www.jboss.com/index.html?module=bb&op=posting&mode=reply&a...