"roeladriaensens" wrote : What about simply using a custom principal on server side, one that contains your user information? I considered this, but didn't pursue it because it seemed like I would be using the Principal for a purpose it wasn't really intended for. That is, for some types of user information (e.g. a SSN), a custom Principal is appropriate. However, I'm also talking about a more variable, cache-like approach (e.g. storing the currently active account that's being accessed, or a list of account codes the authenticated user is allowed to access -- in my project, a user can access multiple "accounts" which correspond to different database resources, among other things). I guess it would still work. I haven't created a custom Principal, before, though. If I were to do this, would I have any difficulty using the custom Principal as a cache that could be read and written to at run-time (e.g. if the authenticated user changed to a different active account, for example). View the original post : http://www.jboss.com/index.html?module=bb&op=viewtopic&p=4135029#... Reply to the post : http://www.jboss.com/index.html?module=bb&op=posting&mode=reply&a...