Our company is migrating a large project from Orion to JBoss 4.0.5. This application relies on programmatic login in the Web tier. It is not practical to change that at this point, and we can't move to JBoss 4.2.x as well :-(. So I'm left with the only choice - to backport programmatic login feature from JBoss 4.2.0 to JBoss 4.0.5. Well, it seemed simple enough - add a ThreadLocal to store active request to SecurityAssociationValve, and add WebAuthentication class to handle actual login/logout. I did this, rebuilt JBoss, changed the application - and it had even worked. Sort of. Programmatic login works for exactly one request. When WebAuthentication.login() is called, the session becomes authenticated (all proper objects/roles are set appropriately). After the request ends, the session looses its authenticated status, and all requests after the one which did login become unauthenticated ones :-(((. Does anyone have an idea why this could happen, and/or what to do to fix this? As a temporary solution, I've implemented a filter which just repeats the login on each request - but, of course, this is not suitable for production environment. View the original post : http://www.jboss.com/index.html?module=bb&op=viewtopic&p=4114005#... Reply to the post : http://www.jboss.com/index.html?module=bb&op=posting&mode=reply&a...