Hey, what I described yesterday was crap. The exceptions were not root of the problem, they happen with 4.0.3, too (TRACE). The problem happens due to the new tomcat way of authorization in public class JBossSecurityMgrRealm extends RealmBase implements Realm | ... | public boolean hasResourcePermission(Request request, Response response, | SecurityConstraint[] constraints, org.apache.catalina.Context context) | ... | There he receives a principal without the roles which was OK at that time, now they are needed to be passed by the valve. I just solved the issue by changing the HttpServletRequestResponseValve in the negotiate-src.jar - just pass the principal instead of creating a new one without roles: // If we got a good principal back from the realm, then make sure it | // gets set on the Request object | | if (principal != null) | { | // Also make sure the good principal doesn´t loose his roles on the way to the realm.. | ((Request)httpRequest.get()).setUserPrincipal(principal); | //new SimplePrincipal(principal.getName())); | } I assume the author did intentionally pass a serializable one and I now don´t... I still wonder if someone from JBoss might take care of the negotiate-thing, like integrating it in a clean way...? I guess I did what I could do here and in the wiki.. Am I allowed to create a JIRA request myself for that or can someone do that for me? View the original post : http://www.jboss.com/index.html?module=bb&op=viewtopic&p=3990053#... Reply to the post : http://www.jboss.com/index.html?module=bb&op=posting&mode=reply&a...