Thanks for the hint. I tried to look around my codes for hidden/implicit security check but no luck. Even created a bare bone test and still no luck. So after 3 days of debugging, I have decided to 'hack' my login module to avoid certain actions in the second time the login module is invoked. This is definitely not a clean solution :( Thanks. View the original post : http://www.jboss.com/index.html?module=bb&op=viewtopic&p=4092849#... Reply to the post : http://www.jboss.com/index.html?module=bb&op=posting&mode=reply&a...