For propagation the ClientLoginModule needs to push the identity that was authenticated. When was the custom principal created? Describe the full workflow from incoming request to propagation to the ejb. The JBossSecurityMgrRealm cannot be involved in creating principals as its the security interceptor running in the context of the authentication request that has the knowledge and correct classpath. View the original post : http://www.jboss.com/index.html?module=bb&op=viewtopic&p=3973354#... Reply to the post : http://www.jboss.com/index.html?module=bb&op=posting&mode=reply&a...