As usual, after banging my head so long that I finally decide to post, the solution comes shortly afterward. The main problem appears to have been that I had commented out some lines in the Tomcat SAR server.xml that refer to JAAS when JBoss was first installed, over 6 months ago. Not sure *why* I did that to begin with, but reverting back basically solved the problem, at least with respect to the web side of things. It looks as though the security domain is first loaded into JNDI when an attempt is made to access the restricted web pages. However, it still does not work for EJBs -- if I refer to the security domain in jboss.xml, the EJB deployments fail with the message "Unable to find security domain." Presumably though this is a dependency issue, and will be easier to solve (I hope). View the original post : http://www.jboss.com/index.html?module=bb&op=viewtopic&p=4005483#... Reply to the post : http://www.jboss.com/index.html?module=bb&op=posting&mode=reply&a...