Wolfgang, Thanks for your responses. I think we kind of fixed it. Got the clue from the security FAQ # 3 (http://www.jboss.org/community/docs/DOC-12198) Our code creates its own login-config.xml and that one was missing the following from the ClientLoginModule <!-- Any existing security context will be restored on logout --> <module-option name="restore-login-identity">true</module-option> After adding this to the file, the exception is not thrown anymore. Would you be able to explain what exactly this option does or where can I find more info on it. I will also be reading a little more on JBoss 5.0.0 security. Something that's interesting is that the custom login-config.xml file created by our tool, works fine wirh JBoss 4.2.3 (without adding the above lines). Only throws exception with JBoss 5.0.0. Thanks View the original post : http://www.jboss.org/index.html?module=bb&op=viewtopic&p=4222469#... Reply to the post : http://www.jboss.org/index.html?module=bb&op=posting&mode=reply&a...