The flaw is that loginmodule and request sessions are not interoperable I propose a solution thus, after requesting j_login_config and performing a successful login automaticall redirected to the protected resource. Perhaps you need to use a FilterChain mapping on * and call getUserPrinciapl then cast the ServletRequest to HttpServletRequest and get the session. Check the session for the principal is null or equality. If it is null or not not equal, then the user has logged in or relogged in. Hope this help/works View the original post : http://www.jboss.com/index.html?module=bb&op=viewtopic&p=3957587#... Reply to the post : http://www.jboss.com/index.html?module=bb&op=posting&mode=reply&a...