At second glance, I think I realized why I didn't use Q13 in http://wiki.jboss.org/wiki/Wiki.jsp?page=AccessingServletRequestForAuthen.... The issue is that SPNEGO is a multi-pass authentication. It is my understanding that it is the job of the callback handler to retrieve user credentials. That is why I put the phase 1 part of authentication into the callback handler. In this phase, I needed access not only to the request, but also the response so that the callback handler could send a proper response the to the browser to have it perform the next phase of the authentication. After the browser handles it's phase, I then can handle the final phase in the login module Perhaps I'm interpreting the role of the callback handler improperly or too strictly? View the original post : http://www.jboss.com/index.html?module=bb&op=viewtopic&p=3967333#... Reply to the post : http://www.jboss.com/index.html?module=bb&op=posting&mode=reply&a...