I'm using a custom login module which in turn uses an EJB to verify username/password. However, this EJB is part of a security domain, since it also provides methods relying on an authenticated principal. Calls from an standalone Java application to various EJBs being part of the security domain are authenticated and authorized properly. From this I would conclude, that the login module is allowed to call methods of an EJB belonging to a non-default security domain. Occasionally (5 out of 80.000 calls) it happens, that JBoss realizes that the EJB belongs to a security domain and therefore tries to authenticate it using a login module, calling the EJB again, intercepted again ... . This recursion continues until a stack overflow occurs. From this behaviour I would conclude that it is not possible to call an EJB being part of a non-default security domain from a login module. One of the behaviours must be wrong since it is inconsistent, but which one? Is there a parameter I may/need to set in order to allow login module to call EJBs even if they are part of a non-default security domain? In the Documentation/Wiki I read that the security domain can only be defined on JAR level. Therefore I cannot exclude those methods from the security domain used by the login module. Splitting the JAR and/or EJB is also not an option for me. BTW: I'm using JBoss 4.0.4GA. Axel View the original post : http://www.jboss.com/index.html?module=bb&op=viewtopic&p=3988402#... Reply to the post : http://www.jboss.com/index.html?module=bb&op=posting&mode=reply&a...