Sorry, rereading what I wrote and it doesn't make sense. The Principal can be got from the request after successful authentication by calling request.getPrincipal() After successful authentication Principal is cached till the expiry of HttpSession -- no need for extra authentication till session expires. But if you have other special requirements like preventing multiple sign on from different clients and such, then you'd have to to some work. View the original post : http://www.jboss.org/index.html?module=bb&op=viewtopic&p=4238643#... Reply to the post : http://www.jboss.org/index.html?module=bb&op=posting&mode=reply&a...