In general that has to be a security aspect in the call chain to ensure a proper security context. This gets back to the cluster question you had earlier. The form of the incoming security context may need to be mapped into another form. Any existing usage of the SecurityAssociation outside of a security interceptor is broken code. Either it needs to be using a public authentication api, or it needs to be moved into a security aspect that can be kept in sync with implementation details. View the original post : http://www.jboss.com/index.html?module=bb&op=viewtopic&p=4041439#... Reply to the post : http://www.jboss.com/index.html?module=bb&op=posting&mode=reply&a...