I would like to end this discussion as there is no evidence of an issue with custom principal propagation from both outside the VM as well as inside the application server. Few things to remember: * A custom principal that is created by a login module is its view of the authenticated user. * Have the security domain between the layers involved in the propagation to be the same or have atleast one of the modules to be the custom principal creating login module. View the original post : http://www.jboss.com/index.html?module=bb&op=viewtopic&p=3973603#... Reply to the post : http://www.jboss.com/index.html?module=bb&op=posting&mode=reply&a...